diff --git a/awsconfigs/common/dex/kustomization.yaml b/awsconfigs/common/dex/kustomization.yaml
new file mode 100644
index 0000000000..e3d5dc069e
--- /dev/null
+++ b/awsconfigs/common/dex/kustomization.yaml
@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: auth
+bases:
+- ../../../upstream/common/dex/overlays/istio
+
+patchesStrategicMerge:
+- patches/service.yaml
+- patches/disable-nodeport.yaml
\ No newline at end of file
diff --git a/awsconfigs/common/dex/patches/disable-nodeport.yaml b/awsconfigs/common/dex/patches/disable-nodeport.yaml
new file mode 100644
index 0000000000..5a17f91eb6
--- /dev/null
+++ b/awsconfigs/common/dex/patches/disable-nodeport.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: dex
+spec:
+  ports:
+  - name: dex
+    port: 5556
+    protocol: TCP
+    targetPort: 5556
+    nodePort: null
\ No newline at end of file
diff --git a/awsconfigs/common/dex/patches/service.yaml b/awsconfigs/common/dex/patches/service.yaml
new file mode 100644
index 0000000000..e0bdb47f0f
--- /dev/null
+++ b/awsconfigs/common/dex/patches/service.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: dex
+spec:
+  type: ClusterIP
diff --git a/charts/apps/jupyter-web-app/Chart.yaml b/charts/apps/jupyter-web-app/Chart.yaml
index ecedebf17d..97cbc10a24 100644
--- a/charts/apps/jupyter-web-app/Chart.yaml
+++ b/charts/apps/jupyter-web-app/Chart.yaml
@@ -3,4 +3,4 @@ appVersion: v1.7.0
 description: A Helm chart for Kubernetes
 name: jupyter-web-app
 type: application
-version: 0.2.0
+version: 0.2.2
diff --git a/charts/apps/jupyter-web-app/templates/ConfigMap/jupyter-web-app-config-mgf762gt24-kubeflow-ConfigMap.yaml b/charts/apps/jupyter-web-app/templates/ConfigMap/jupyter-web-app-config-mgf762gt24-kubeflow-ConfigMap.yaml
index 0d6d6cc779..14b0683958 100644
--- a/charts/apps/jupyter-web-app/templates/ConfigMap/jupyter-web-app-config-mgf762gt24-kubeflow-ConfigMap.yaml
+++ b/charts/apps/jupyter-web-app/templates/ConfigMap/jupyter-web-app-config-mgf762gt24-kubeflow-ConfigMap.yaml
@@ -1,95 +1,11 @@
 apiVersion: v1
 data:
-  spawner_ui_config.yaml: "# Configuration file for the Jupyter UI.\n#\n# Each Jupyter\
-    \ UI option is configured by two keys: 'value' and 'readOnly'\n# - The 'value'\
-    \ key contains the default value\n# - The 'readOnly' key determines if the option\
-    \ will be available to users\n#\n# If the 'readOnly' key is present and set to\
-    \ 'true', the respective option\n# will be disabled for users and only set by\
-    \ the admin. Also when a\n# Notebook is POSTED to the API if a necessary field\
-    \ is not present then\n# the value from the config will be used.\n#\n# If the\
-    \ 'readOnly' key is missing (defaults to 'false'), the respective option\n# will\
-    \ be available for users to edit.\n#\n# Note that some values can be templated.\
-    \ Such values are the names of the\n# Volumes as well as their StorageClass\n\
-    spawnerFormDefaults:\n  image:\n    # The container Image for the user's Jupyter\
-    \ Notebook\n    value: public.ecr.aws/kubeflow-on-aws/notebook-servers/jupyter-tensorflow:2.12.0-cpu-py310-ubuntu20.04-ec2-v1.0\n\
-    \    # The list of available standard container Images\n    options:\n    - kubeflownotebookswg/jupyter-scipy:v1.7.0\n\
-    \    - public.ecr.aws/kubeflow-on-aws/notebook-servers/jupyter-tensorflow:2.12.0-gpu-py310-cu118-ubuntu20.04-ec2-v1.0\n\
-    \    - public.ecr.aws/kubeflow-on-aws/notebook-servers/jupyter-tensorflow:2.12.0-cpu-py310-ubuntu20.04-ec2-v1.0\n\
-    \    - public.ecr.aws/kubeflow-on-aws/notebook-servers/jupyter-pytorch:2.0.0-gpu-py310-cu118-ubuntu20.04-ec2-v1.0\n\
-    \    - public.ecr.aws/kubeflow-on-aws/notebook-servers/jupyter-pytorch:2.0.0-cpu-py310-ubuntu20.04-ec2-v1.0\n\
-    \  imageGroupOne:\n    # The container Image for the user's Group One Server\n\
-    \    # The annotation `notebooks.kubeflow.org/http-rewrite-uri: /`\n    # is applied\
-    \ to notebook in this group, configuring\n    # the Istio rewrite for containers\
-    \ that host their web UI at `/`\n    value: kubeflownotebookswg/codeserver-python:v1.7.0\n\
-    \    # The list of available standard container Images\n    options:\n    - kubeflownotebookswg/codeserver-python:v1.7.0\n\
-    \  imageGroupTwo:\n    # The container Image for the user's Group Two Server\n\
-    \    # The annotation `notebooks.kubeflow.org/http-rewrite-uri: /`\n    # is applied\
-    \ to notebook in this group, configuring\n    # the Istio rewrite for containers\
-    \ that host their web UI at `/`\n    # The annotation `notebooks.kubeflow.org/http-headers-request-set`\n\
-    \    # is applied to notebook in this group, configuring Istio\n    # to add the\
-    \ `X-RStudio-Root-Path` header to requests\n    value: kubeflownotebookswg/rstudio-tidyverse:v1.7.0\n\
-    \    # The list of available standard container Images\n    options:\n    - kubeflownotebookswg/rstudio-tidyverse:v1.7.0\n\
-    \  # If true, hide registry and/or tag name in the image selection dropdown\n\
-    \  hideRegistry: true\n  hideTag: false\n  allowCustomImage: true\n  # If true,\
-    \ users can input custom images\n  # If false, users can only select from the\
-    \ images in this config\n  imagePullPolicy:\n    # Supported values: Always, IfNotPresent,\
-    \ Never\n    value: IfNotPresent\n    readOnly: false\n  cpu:\n    # CPU for user's\
-    \ Notebook\n    value: '0.5'\n    # Factor by with to multiply request to calculate\
-    \ limit\n    # if no limit is set, to disable set \"none\"\n    limitFactor: \"\
-    1.2\"\n    readOnly: false\n  memory:\n    # Memory for user's Notebook\n    value:\
-    \ 1.0Gi\n    # Factor by with to multiply request to calculate limit\n    # if\
-    \ no limit is set, to disable set \"none\"\n    limitFactor: \"1.2\"\n    readOnly:\
-    \ false\n  environment:\n    value: {}\n    readOnly: false\n  workspaceVolume:\n\
-    \    # Workspace Volume to be attached to user's Notebook\n    # If you don't\
-    \ want a workspace volume then delete the 'value' key\n    value:\n      mount:\
-    \ /home/jovyan\n      newPvc:\n        metadata:\n          name: '{notebook-name}-workspace'\n\
-    \        spec:\n          resources:\n            requests:\n              storage:\
-    \ 10Gi\n          accessModes:\n          - ReadWriteOnce\n    readOnly: false\n\
-    \  dataVolumes:\n    # List of additional Data Volumes to be attached to the user's\
-    \ Notebook\n    value: []\n    # For example, a list with 2 Data Volumes:\n  \
-    \  # value:\n    #   - mount: /home/jovyan/datavol-1\n    #     newPvc:\n    #\
-    \       metadata:\n    #         name: '{notebook-name}-datavol-1'\n    #    \
-    \   spec:\n    #         resources:\n    #           requests:\n    #        \
-    \     storage: 5Gi\n    #         accessModes:\n    #           - ReadWriteOnce\n\
-    \    #   - mount: /home/jovyan/datavol-1\n    #     existingSource:\n    #   \
-    \    persistentVolumeClaim:\n    #         claimName: test-pvc\n    readOnly:\
-    \ false\n  gpus:\n    # Number of GPUs to be assigned to the Notebook Container\n\
-    \    value:\n      # values: \"none\", \"1\", \"2\", \"4\", \"8\"\n      num:\
-    \ \"none\"\n      # Determines what the UI will show and send to the backend\n\
-    \      vendors:\n      - limitsKey: \"nvidia.com/gpu\"\n        uiName: \"NVIDIA\"\
-    \n      - limitsKey: \"amd.com/gpu\"\n        uiName: \"AMD\"\n      # Values:\
-    \ \"\" or a `limits-key` from the vendors list\n      vendor: \"\"\n    readOnly:\
-    \ false\n  affinityConfig:\n    # If readonly, the default value will be the only\
-    \ option\n    # value is a list of `configKey`s that we want to be selected by\
-    \ default\n    value: \"\"\n    # The list of available affinity configs\n   \
-    \ options: []\n    #options:\n    #  - configKey: \"exclusive__n1-standard-2\"\
-    \n    #    displayName: \"Exclusive: n1-standard-2\"\n    #    affinity:\n   \
-    \ #      # (Require) Node having label: `node_pool=notebook-n1-standard-2`\n \
-    \   #      nodeAffinity:\n    #        requiredDuringSchedulingIgnoredDuringExecution:\n\
-    \    #          nodeSelectorTerms:\n    #            - matchExpressions:\n   \
-    \ #                - key: \"node_pool\"\n    #                  operator: \"In\"\
-    \n    #                  values:\n    #                   - \"notebook-n1-standard-2\"\
-    \n    #      # (Require) Node WITHOUT existing Pod having label: `notebook-name`\n\
-    \    #      podAntiAffinity:\n    #        requiredDuringSchedulingIgnoredDuringExecution:\n\
-    \    #          - labelSelector:\n    #              matchExpressions:\n    #\
-    \                - key: \"notebook-name\"\n    #                  operator: \"\
-    Exists\"\n    #            namespaces: []\n    #            topologyKey: \"kubernetes.io/hostname\"\
-    \n    #readOnly: false\n  tolerationGroup:\n    # The default `groupKey` from\
-    \ the options list\n    # If readonly, the default value will be the only option\n\
-    \    value: \"\"\n    # The list of available tolerationGroup configs\n    options:\
-    \ []\n    #options:\n    #  - groupKey: \"group_1\"\n    #    displayName: \"\
-    Group 1: description\"\n    #    tolerations:\n    #      - key: \"key1\"\n  \
-    \  #        operator: \"Equal\"\n    #        value: \"value1\"\n    #       \
-    \ effect: \"NoSchedule\"\n    #      - key: \"key2\"\n    #        operator: \"\
-    Equal\"\n    #        value: \"value2\"\n    #        effect: \"NoSchedule\"\n\
-    \    readOnly: false\n  shm:\n    value: true\n    readOnly: false\n  configurations:\n\
-    \    # List of labels to be selected, these are the labels from PodDefaults\n\
-    \    # value:\n    #   - add-aws-secret\n    #   - default-editor\n    value:\
-    \ []\n    readOnly: false\n"
+  spawner_ui_config.yaml: {{- .Values.spawner_ui_config | toYaml | indent 2 }}
 kind: ConfigMap
 metadata:
+  annotations: {}
   labels:
     app: jupyter-web-app
     kustomize.component: jupyter-web-app
   name: jupyter-web-app-config-mgf762gt24
-  namespace: kubeflow
+  namespace: kubeflow
\ No newline at end of file
diff --git a/charts/apps/jupyter-web-app/values.yaml b/charts/apps/jupyter-web-app/values.yaml
index 6d800eed5f..e5776c9f61 100644
--- a/charts/apps/jupyter-web-app/values.yaml
+++ b/charts/apps/jupyter-web-app/values.yaml
@@ -1,2 +1,154 @@
-null
-...
+spawner_ui_config: |
+  spawnerFormDefaults:
+    image:
+      # The container Image for the user's Jupyter Notebook
+      value: 369500102003.dkr.ecr.us-east-1.amazonaws.com/dl-research:jupyter-f932cdf
+      # The list of available standard container Images
+      options:
+      - 369500102003.dkr.ecr.us-east-1.amazonaws.com/dl-research:jupyter-f932cdf
+      - kubeflownotebookswg/jupyter-pytorch-full:v1.6.1
+      - kubeflownotebookswg/jupyter-pytorch-cuda-full:v1.6.1
+      - kubeflownotebookswg/jupyter-tensorflow-full:v1.6.1
+      - kubeflownotebookswg/jupyter-tensorflow-cuda-full:v1.6.1
+    imageGroupOne:
+      # The container Image for the user's Group One Server
+      # The annotation `notebooks.kubeflow.org/http-rewrite-uri: /`
+      # is applied to notebook in this group, configuring
+      # the Istio rewrite for containers that host their web UI at `/`
+      value: 369500102003.dkr.ecr.us-east-1.amazonaws.com/dl-research:vscode-f932cdf
+      # The list of available standard container Images
+      options:
+      - 369500102003.dkr.ecr.us-east-1.amazonaws.com/dl-research:vscode-f932cdf
+    imageGroupTwo:
+      # The container Image for the user's Group Two Server
+      # The annotation `notebooks.kubeflow.org/http-rewrite-uri: /`
+      # is applied to notebook in this group, configuring
+      # the Istio rewrite for containers that host their web UI at `/`
+      # The annotation `notebooks.kubeflow.org/http-headers-request-set`
+      # is applied to notebook in this group, configuring Istio
+      # to add the `X-RStudio-Root-Path` header to requests
+      value: kubeflownotebookswg/rstudio-tidyverse:v1.6.1
+      # The list of available standard container Images
+      options:
+      - kubeflownotebookswg/rstudio-tidyverse:v1.6.1
+    # If true, hide registry and/or tag name in the image selection dropdown
+    hideRegistry: false
+    hideTag: false
+    allowCustomImage: true
+    # If true, users can input custom images
+    # If false, users can only select from the images in this config
+    imagePullPolicy:
+      # Supported values: Always, IfNotPresent, Never
+      value: IfNotPresent
+      readOnly: false
+    cpu:
+      # CPU for user's Notebook
+      value: '0.5'
+      # Factor by with to multiply request to calculate limit
+      # if no limit is set, to disable set "none"
+      limitFactor: "1.2"
+      readOnly: false
+    memory:
+      # Memory for user's Notebook
+      value: 1.0Gi
+      # Factor by with to multiply request to calculate limit
+      # if no limit is set, to disable set "none"
+      limitFactor: "1.2"
+      readOnly: false
+    environment:
+      value: {}
+      readOnly: false
+    workspaceVolume:
+      # Workspace Volume to be attached to user's Notebook
+      # If you don't want a workspace volume then delete the 'value' key
+      value:
+      # mount: /home/dl-user
+      # existingSource:
+      #   persistentVolumeClaim:
+      #     claimName: '-home'
+      readOnly: false
+    dataVolumes:
+      value:
+        - mount: /data
+          newPvc:
+            metadata:
+              name: '{notebook-name}-vol-1'
+            spec:
+              resources:
+                requests:
+                  storage: 30Gi
+              accessModes:
+                - ReadWriteOnce
+      readOnly: false
+    gpus:
+      # Number of GPUs to be assigned to the Notebook Container
+      value:
+        # values: "none", "1", "2", "4", "8"
+        num: "none"
+        # Determines what the UI will show and send to the backend
+        vendors:
+        - limitsKey: "nvidia.com/gpu"
+          uiName: "NVIDIA"
+        # - limitsKey: "amd.com/gpu"
+        #  uiName: "AMD"
+        # Values: "" or a `limits-key` from the vendors list
+        vendor: ""
+      readOnly: false
+    affinityConfig:
+      # If readonly, the default value will be the only option
+      # value is a list of `configKey`s that we want to be selected by default
+      value: ""
+      # The list of available affinity configs
+      options: []
+      #options:
+      #  - configKey: "exclusive__n1-standard-2"
+      #    displayName: "Exclusive: n1-standard-2"
+      #    affinity:
+      #      # (Require) Node having label: `node_pool=notebook-n1-standard-2`
+      #      nodeAffinity:
+      #        requiredDuringSchedulingIgnoredDuringExecution:
+      #          nodeSelectorTerms:
+      #            - matchExpressions:
+      #                - key: "node_pool"
+      #                  operator: "In"
+      #                  values:
+      #                   - "notebook-n1-standard-2"
+      #      # (Require) Node WITHOUT existing Pod having label: `notebook-name`
+      #      podAntiAffinity:
+      #        requiredDuringSchedulingIgnoredDuringExecution:
+      #          - labelSelector:
+      #              matchExpressions:
+      #                - key: "notebook-name"
+      #                  operator: "Exists"
+      #            namespaces: []
+      #            topologyKey: "kubernetes.io/hostname"
+      #readOnly: false
+    tolerationGroup:
+      # The default `groupKey` from the options list
+      # If readonly, the default value will be the only option
+      value: ""
+      options:
+      - groupKey: "gpu"
+        displayName: "gpu toleration"
+        tolerations:
+        - key: "nvidia.com/gpu"
+          operator: "Equal"
+          value: "true"
+          effect: "PreferNoSchedule"
+      - groupKey: "spot"
+        displayName: "spot toleration"
+        tolerations:
+        - key: "spot"
+          operator: "Equal"
+          value: "true"
+          effect: "NoSchedule"
+    shm:
+      value: true
+      readOnly: false
+    configurations:
+      value:
+        - add-secret-volume
+        - add-env
+        - prevent-eviction
+        - access-ml-pipeline
+      readOnly: false
\ No newline at end of file
diff --git a/charts/apps/kubeflow-pipelines/rds-s3/templates/Certificate/kfp-cache-cert-kubeflow-Certificate.yaml b/charts/apps/kubeflow-pipelines/rds-s3/templates/Certificate/kfp-cache-cert-kubeflow-Certificate.yaml
index 733cb98e8f..01e331f056 100644
--- a/charts/apps/kubeflow-pipelines/rds-s3/templates/Certificate/kfp-cache-cert-kubeflow-Certificate.yaml
+++ b/charts/apps/kubeflow-pipelines/rds-s3/templates/Certificate/kfp-cache-cert-kubeflow-Certificate.yaml
@@ -1,6 +1,10 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
+  annotations:
+    "helm.sh/hook": "pre-install"
+    "helm.sh/hook-weight": "-10"
+    # "helm.sh/hook-delete-policy": hook-succeeded
   labels:
     app: cache-server-cert-manager
     application-crd-id: kubeflow-pipelines
diff --git a/charts/apps/kubeflow-pipelines/rds-s3/templates/Deployment/cache-server-kubeflow-Deployment.yaml b/charts/apps/kubeflow-pipelines/rds-s3/templates/Deployment/cache-server-kubeflow-Deployment.yaml
index e6f8ef7616..b629285bdf 100644
--- a/charts/apps/kubeflow-pipelines/rds-s3/templates/Deployment/cache-server-kubeflow-Deployment.yaml
+++ b/charts/apps/kubeflow-pipelines/rds-s3/templates/Deployment/cache-server-kubeflow-Deployment.yaml
@@ -1,6 +1,10 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
+  annotations:
+    "helm.sh/hook": pre-install
+    "helm.sh/hook-weight": "-8"
+    # "helm.sh/hook-delete-policy": hook-succeeded
   labels:
     app: cache-server
     app.kubernetes.io/component: ml-pipeline
diff --git a/charts/apps/kubeflow-pipelines/rds-s3/templates/Secret/mlpipeline-minio-artifact-kubeflow-Secret.yaml b/charts/apps/kubeflow-pipelines/rds-s3/templates/Secret/mlpipeline-minio-artifact-kubeflow-Secret.yaml
index fb885c4f32..61c5f7ee6f 100644
--- a/charts/apps/kubeflow-pipelines/rds-s3/templates/Secret/mlpipeline-minio-artifact-kubeflow-Secret.yaml
+++ b/charts/apps/kubeflow-pipelines/rds-s3/templates/Secret/mlpipeline-minio-artifact-kubeflow-Secret.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.create_secret }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -8,3 +9,4 @@ metadata:
 stringData:
   accesskey: ''
   secretkey: ''
+{{- end }}
\ No newline at end of file
diff --git a/charts/apps/kubeflow-pipelines/rds-s3/values.yaml b/charts/apps/kubeflow-pipelines/rds-s3/values.yaml
index 817a92967d..f8eaf92d86 100644
--- a/charts/apps/kubeflow-pipelines/rds-s3/values.yaml
+++ b/charts/apps/kubeflow-pipelines/rds-s3/values.yaml
@@ -5,4 +5,5 @@ s3:
   bucketName:
   minioServiceHost: s3.amazonaws.com
   minioServiceRegion:
-  roleArn:
\ No newline at end of file
+  roleArn:
+create_secret: false
\ No newline at end of file
diff --git a/charts/common/knative-serving/templates/HorizontalPodAutoscaler/webhook-knative-serving-HorizontalPodAutoscaler.yaml b/charts/common/knative-serving/templates/HorizontalPodAutoscaler/webhook-knative-serving-HorizontalPodAutoscaler.yaml
index 4181c84c93..caeff38be6 100644
--- a/charts/common/knative-serving/templates/HorizontalPodAutoscaler/webhook-knative-serving-HorizontalPodAutoscaler.yaml
+++ b/charts/common/knative-serving/templates/HorizontalPodAutoscaler/webhook-knative-serving-HorizontalPodAutoscaler.yaml
@@ -1,4 +1,4 @@
-apiVersion: autoscaling/v2beta2
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
   labels:
@@ -20,4 +20,4 @@ spec:
   scaleTargetRef:
     apiVersion: apps/v1
     kind: Deployment
-    name: webhook
+    name: webhook
\ No newline at end of file
diff --git a/charts/common/oidc-authservice/templates/ConfigMap/oidc-authservice-parameters-istio-system-ConfigMap.yaml b/charts/common/oidc-authservice/templates/ConfigMap/oidc-authservice-parameters-istio-system-ConfigMap.yaml
index c6a0d4f52f..b7d779674f 100644
--- a/charts/common/oidc-authservice/templates/ConfigMap/oidc-authservice-parameters-istio-system-ConfigMap.yaml
+++ b/charts/common/oidc-authservice/templates/ConfigMap/oidc-authservice-parameters-istio-system-ConfigMap.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.create_config }}
 apiVersion: v1
 data:
   AUTHSERVICE_URL_PREFIX: /authservice/
@@ -14,3 +15,4 @@ kind: ConfigMap
 metadata:
   name: oidc-authservice-parameters
   namespace: istio-system
+{{- end }}
\ No newline at end of file
diff --git a/charts/common/oidc-authservice/templates/Secret/oidc-authservice-client-istio-system-Secret.yaml b/charts/common/oidc-authservice/templates/Secret/oidc-authservice-client-istio-system-Secret.yaml
deleted file mode 100644
index b1e29ec1b5..0000000000
--- a/charts/common/oidc-authservice/templates/Secret/oidc-authservice-client-istio-system-Secret.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-apiVersion: v1
-data:
-  CLIENT_ID: a3ViZWZsb3ctb2lkYy1hdXRoc2VydmljZQ==
-  CLIENT_SECRET: cFVCbkJPWTgwU25YZ2ppYlRZTTlaV056WTJ4cmVOR1Fvaw==
-kind: Secret
-metadata:
-  name: oidc-authservice-client
-  namespace: istio-system
-type: Opaque
diff --git a/charts/common/oidc-authservice/values.yaml b/charts/common/oidc-authservice/values.yaml
index 6d800eed5f..c1155d3712 100644
--- a/charts/common/oidc-authservice/values.yaml
+++ b/charts/common/oidc-authservice/values.yaml
@@ -1,2 +1 @@
-null
-...
+create_config: false
\ No newline at end of file
diff --git a/charts/hyperfine/user/.helmignore b/charts/hyperfine/user/.helmignore
new file mode 100644
index 0000000000..0e8a0eb36f
--- /dev/null
+++ b/charts/hyperfine/user/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/hyperfine/user/Chart.yaml b/charts/hyperfine/user/Chart.yaml
new file mode 100644
index 0000000000..99d1b78722
--- /dev/null
+++ b/charts/hyperfine/user/Chart.yaml
@@ -0,0 +1,24 @@
+apiVersion: v2
+name: user
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "0.1.0"
diff --git a/charts/hyperfine/user/templates/ConfigMap/env-config-ConfigMap.yaml b/charts/hyperfine/user/templates/ConfigMap/env-config-ConfigMap.yaml
new file mode 100644
index 0000000000..207245335e
--- /dev/null
+++ b/charts/hyperfine/user/templates/ConfigMap/env-config-ConfigMap.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: env-config
+  namespace: {{ .Values.name }}
+data:
+  NAMESPACE: {{ .Values.name }}
\ No newline at end of file
diff --git a/charts/hyperfine/user/templates/ConfigMap/profile-ConfigMap.yaml b/charts/hyperfine/user/templates/ConfigMap/profile-ConfigMap.yaml
new file mode 100644
index 0000000000..f6e1a1368f
--- /dev/null
+++ b/charts/hyperfine/user/templates/ConfigMap/profile-ConfigMap.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+data:
+  profile-name: {{ .Values.name }}
+  user: {{ .Values.email }}
+kind: ConfigMap
+metadata:
+  name: "default-install-config-{{ .Values.name }}"
\ No newline at end of file
diff --git a/charts/hyperfine/user/templates/Deployment/secret-pod-Deployment.yaml b/charts/hyperfine/user/templates/Deployment/secret-pod-Deployment.yaml
new file mode 100644
index 0000000000..f9c80a0cc4
--- /dev/null
+++ b/charts/hyperfine/user/templates/Deployment/secret-pod-Deployment.yaml
@@ -0,0 +1,53 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kf-secrets-{{ .Values.name }}-deployment
+  namespace: {{ .Values.name }}
+  labels:
+    app: "kf-secrets-{{ .Values.name }}"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: "kf-secrets-{{ .Values.name }}"
+  template:
+    metadata:
+      labels:
+        app: "kf-secrets-{{ .Values.name }}"
+    spec:
+      containers:
+      - image: k8s.gcr.io/e2e-test-images/busybox:1.29
+        command:
+        - "/bin/sleep"
+        - "10000"
+        name: secrets
+        volumeMounts:
+        - mountPath: "/mnt/rds-store"
+          name: "{{ .Values.rdsSecretName }}"
+          readOnly: true
+        - mountPath: "/mnt/aws-store"
+          name: "{{ .Values.s3SecretName }}"
+          readOnly: true
+        - mountPath: "/mnt/ssh-store"
+          name: "{{ .Values.sshKeySecretName }}"
+          readOnly: true
+      serviceAccountName: {{ .Values.serviceAccountName }}
+      volumes:
+      - csi:
+          driver: secrets-store.csi.k8s.io
+          readOnly: true
+          volumeAttributes:
+            secretProviderClass: aws-secrets
+        name: "{{ .Values.rdsSecretName }}"
+      - csi:
+          driver: secrets-store.csi.k8s.io
+          readOnly: true
+          volumeAttributes:
+            secretProviderClass: aws-secrets
+        name: "{{ .Values.s3SecretName }}"
+      - csi:
+          driver: secrets-store.csi.k8s.io
+          readOnly: true
+          volumeAttributes:
+            secretProviderClass: aws-secrets
+        name: "{{ .Values.sshKeySecretName }}"
\ No newline at end of file
diff --git a/charts/hyperfine/user/templates/PersistentVolumeClaim/efs-home-PersistentVolumeClaim.yaml b/charts/hyperfine/user/templates/PersistentVolumeClaim/efs-home-PersistentVolumeClaim.yaml
new file mode 100644
index 0000000000..05a91c7972
--- /dev/null
+++ b/charts/hyperfine/user/templates/PersistentVolumeClaim/efs-home-PersistentVolumeClaim.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: "{{ .Values.name }}-home"
+  namespace: {{ .Values.name }}
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: {{ .Values.efsStorageClassName }}
+  resources:
+    requests:
+      storage: 30Gi
\ No newline at end of file
diff --git a/charts/hyperfine/user/templates/PodDefault/env-config-PodDefault.yaml b/charts/hyperfine/user/templates/PodDefault/env-config-PodDefault.yaml
new file mode 100644
index 0000000000..d985a7b8aa
--- /dev/null
+++ b/charts/hyperfine/user/templates/PodDefault/env-config-PodDefault.yaml
@@ -0,0 +1,13 @@
+apiVersion: "kubeflow.org/v1alpha1"
+kind: PodDefault
+metadata:
+  name: "add-env"
+  namespace: {{ .Values.name }}
+spec:
+ desc: "add env"
+ selector:
+   matchLabels:
+     add-env: "true"
+ envFrom:
+ - configMapRef:
+     name: env-config
\ No newline at end of file
diff --git a/charts/hyperfine/user/templates/PodDefault/eviction-PodDefault.yaml b/charts/hyperfine/user/templates/PodDefault/eviction-PodDefault.yaml
new file mode 100644
index 0000000000..4a67ed1063
--- /dev/null
+++ b/charts/hyperfine/user/templates/PodDefault/eviction-PodDefault.yaml
@@ -0,0 +1,12 @@
+apiVersion: kubeflow.org/v1alpha1
+kind: PodDefault
+metadata:
+  name: prevent-eviction
+  namespace: {{ .Values.name }}
+spec:
+  desc: prevent eviction
+  selector:
+    matchLabels:
+      prevent-eviction: "true"
+  annotations:
+    cluster-autoscaler.kubernetes.io/safe-to-evict: "false"
\ No newline at end of file
diff --git a/charts/hyperfine/user/templates/PodDefault/pipeline-PodDefault.yaml b/charts/hyperfine/user/templates/PodDefault/pipeline-PodDefault.yaml
new file mode 100644
index 0000000000..c6155491c6
--- /dev/null
+++ b/charts/hyperfine/user/templates/PodDefault/pipeline-PodDefault.yaml
@@ -0,0 +1,25 @@
+apiVersion: kubeflow.org/v1alpha1
+kind: PodDefault
+metadata:
+  name: access-ml-pipeline
+  namespace: {{ .Values.name }}
+spec:
+  desc: Allow access to Kubeflow Pipelines
+  selector:
+    matchLabels:
+      access-ml-pipeline: "true"
+  volumes:
+    - name: volume-kf-pipeline-token
+      projected:
+        sources:
+          - serviceAccountToken:
+              path: token
+              expirationSeconds: 7200
+              audience: pipelines.kubeflow.org
+  volumeMounts:
+    - mountPath: /var/run/secrets/kubeflow/pipelines
+      name: volume-kf-pipeline-token
+      readOnly: true
+  env:
+    - name: KF_PIPELINES_SA_TOKEN_PATH
+      value: /var/run/secrets/kubeflow/pipelines/token
\ No newline at end of file
diff --git a/charts/hyperfine/user/templates/PodDefault/secret-volume-PodDefault.yaml b/charts/hyperfine/user/templates/PodDefault/secret-volume-PodDefault.yaml
new file mode 100644
index 0000000000..031326ae45
--- /dev/null
+++ b/charts/hyperfine/user/templates/PodDefault/secret-volume-PodDefault.yaml
@@ -0,0 +1,18 @@
+apiVersion: "kubeflow.org/v1alpha1"
+kind: PodDefault
+metadata:
+  name: "add-secret-volume"
+  namespace: {{ .Values.name }}
+spec:
+ desc: "add secret volume"
+ selector:
+   matchLabels:
+     add-secret-volume: "true"
+ volumeMounts:
+ - name: secret-volume
+   mountPath: /etc/ssh-key
+ volumes:
+ - name: secret-volume
+   secret:
+     secretName: ssh-secret-{{ .Values.name }}
+     defaultMode: 256
\ No newline at end of file
diff --git a/charts/hyperfine/user/templates/Profile/profile-Profile.yaml b/charts/hyperfine/user/templates/Profile/profile-Profile.yaml
new file mode 100644
index 0000000000..a8067f306e
--- /dev/null
+++ b/charts/hyperfine/user/templates/Profile/profile-Profile.yaml
@@ -0,0 +1,8 @@
+apiVersion: kubeflow.org/v1beta1
+kind: Profile
+metadata:
+  name: {{ .Values.name }}
+spec:
+  owner:
+    kind: User
+    name: {{ .Values.email }}
diff --git a/charts/hyperfine/user/templates/Role/access-Role.yaml b/charts/hyperfine/user/templates/Role/access-Role.yaml
new file mode 100644
index 0000000000..db08f1203f
--- /dev/null
+++ b/charts/hyperfine/user/templates/Role/access-Role.yaml
@@ -0,0 +1,12 @@
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: "{{ .Values.name }}-access"
+  namespace: {{ .Values.name }}
+rules:
+- apiGroups: [""]
+  resources: ["*"]
+  verbs: ["*"]
+- apiGroups: ["extensions"]
+  resources: ["*"]
+  verbs: ["*"]
\ No newline at end of file
diff --git a/charts/hyperfine/user/templates/RoleBinding/dashboard-RoleBinding.yaml b/charts/hyperfine/user/templates/RoleBinding/dashboard-RoleBinding.yaml
new file mode 100644
index 0000000000..70d3f9f601
--- /dev/null
+++ b/charts/hyperfine/user/templates/RoleBinding/dashboard-RoleBinding.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: "{{ .Values.name }}-access-dashboard-role-binding"
+  namespace: {{ .Values.name }}
+subjects:
+- kind: Group
+  name: kubernetes-dashboard
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: Role
+  name: "{{ .Values.name }}-access"
+  apiGroup: rbac.authorization.k8s.io
\ No newline at end of file
diff --git a/charts/hyperfine/user/templates/RoleBinding/service-account-access-RoleBinding.yaml b/charts/hyperfine/user/templates/RoleBinding/service-account-access-RoleBinding.yaml
new file mode 100644
index 0000000000..5f8e2acc5e
--- /dev/null
+++ b/charts/hyperfine/user/templates/RoleBinding/service-account-access-RoleBinding.yaml
@@ -0,0 +1,13 @@
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: "{{ .Values.name }}-role-binding"
+  namespace: {{ .Values.name }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: "{{ .Values.name }}-access"
+subjects:
+  - kind: ServiceAccount
+    name:  {{ .Values.serviceAccountName }}
+    namespace: {{ .Values.name }}
diff --git a/charts/hyperfine/user/templates/SecretProviderClass/secret-store-SecretProviderClass.yaml b/charts/hyperfine/user/templates/SecretProviderClass/secret-store-SecretProviderClass.yaml
new file mode 100644
index 0000000000..bc2b7494da
--- /dev/null
+++ b/charts/hyperfine/user/templates/SecretProviderClass/secret-store-SecretProviderClass.yaml
@@ -0,0 +1,70 @@
+apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
+kind: SecretProviderClass
+metadata:
+  name: aws-secrets
+  namespace: {{ .Values.name }}
+spec:
+  provider: aws
+  secretObjects:
+  - secretName: "ssh-secret-{{ .Values.name }}"
+    type: Opaque
+    data:
+    - objectName: "{{ .Values.name }}"
+      key: private
+    - objectName: "{{ .Values.name }}.pub"
+      key: public
+  - secretName: mysql-secret
+    type: Opaque
+    data:
+    - objectName: "user"
+      key: username
+    - objectName: "pass"
+      key: password
+    - objectName: "host"
+      key: host
+    - objectName: "database"
+      key: database
+    - objectName: "port"
+      key: port
+  - secretName: mlpipeline-minio-artifact
+    type: Opaque
+    data:
+    - objectName: "access"
+      key: accesskey
+    - objectName: "secret"
+      key: secretkey
+  parameters:
+    objects: |
+      - objectName: "{{ .Values.sshKeySecretName }}"
+        objectType: "secretsmanager"
+        objectAlias: "{{ .Values.name }}-ssh"
+        objectVersionLabel: "AWSCURRENT"
+        jmesPath:
+            - path: "private"
+              objectAlias: "{{ .Values.name }}"
+            - path: "public"
+              objectAlias: "{{ .Values.name }}.pub"
+      - objectName: "{{ .Values.rdsSecretName }}"
+        objectType: "secretsmanager"
+        objectAlias: "rds-secret"
+        objectVersionLabel: "AWSCURRENT"
+        jmesPath:
+            - path: "username"
+              objectAlias: "user"
+            - path: "password"
+              objectAlias: "pass"
+            - path: "host"
+              objectAlias: "host"
+            - path: "database"
+              objectAlias: "database"
+            - path: "port"
+              objectAlias: "port"
+      - objectName: "{{ .Values.s3SecretName }}"
+        objectType: "secretsmanager"
+        objectAlias: "s3-secret"
+        objectVersionLabel: "AWSCURRENT"
+        jmesPath:
+            - path: "accesskey"
+              objectAlias: "access"
+            - path: "secretkey"
+              objectAlias: "secret"
diff --git a/charts/hyperfine/user/values.yaml b/charts/hyperfine/user/values.yaml
new file mode 100644
index 0000000000..a4c90a9f50
--- /dev/null
+++ b/charts/hyperfine/user/values.yaml
@@ -0,0 +1,7 @@
+name:
+email:
+s3SecretName:
+rdsSecretName:
+sshKeySecretName:
+serviceAccountName:
+efsStorageClassName:
\ No newline at end of file
diff --git a/deployments/hyperfine/dependencies.tf b/deployments/hyperfine/dependencies.tf
new file mode 100644
index 0000000000..e84a439a94
--- /dev/null
+++ b/deployments/hyperfine/dependencies.tf
@@ -0,0 +1,10 @@
+
+data "aws_eks_cluster" "eks_cluster" {
+  name = var.eks_cluster_name
+}
+
+data "aws_eks_cluster_auth" "kubernetes_token" {
+  count = var.use_exec_plugin_for_auth ? 0 : 1
+  name  = var.eks_cluster_name
+}
+
diff --git a/deployments/hyperfine/kubeprovider.tf b/deployments/hyperfine/kubeprovider.tf
new file mode 100644
index 0000000000..19103530a9
--- /dev/null
+++ b/deployments/hyperfine/kubeprovider.tf
@@ -0,0 +1,60 @@
+provider "kubernetes" {
+  host                   = data.aws_eks_cluster.eks_cluster.endpoint
+  cluster_ca_certificate = base64decode(data.aws_eks_cluster.eks_cluster.certificate_authority.0.data)
+  token                  = var.use_exec_plugin_for_auth ? null : data.aws_eks_cluster_auth.kubernetes_token[0].token
+
+  # EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy'. To
+  # avoid this issue, we use an exec-based plugin here to fetch an up-to-date token. Note that this code requires a
+  # binary—either kubergrunt or aws—to be installed and on your PATH.
+  dynamic "exec" {
+    for_each = var.use_exec_plugin_for_auth ? ["once"] : []
+
+    content {
+      api_version = "client.authentication.k8s.io/v1beta1"
+      command     = var.use_kubergrunt_to_fetch_token ? "kubergrunt" : "aws"
+      args = (
+        var.use_kubergrunt_to_fetch_token
+        ? ["eks", "token", "--cluster-id", var.eks_cluster_name]
+        : ["eks", "get-token", "--cluster-name", var.eks_cluster_name]
+      )
+    }
+  }
+}
+
+provider "helm" {
+  kubernetes {
+    host                   = data.aws_eks_cluster.eks_cluster.endpoint
+    cluster_ca_certificate = base64decode(data.aws_eks_cluster.eks_cluster.certificate_authority.0.data)
+    token                  = var.use_exec_plugin_for_auth ? null : data.aws_eks_cluster_auth.kubernetes_token[0].token
+
+    # EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy'. To
+    # avoid this issue, we use an exec-based plugin here to fetch an up-to-date token. Note that this code requires a
+    # binary—either kubergrunt or aws—to be installed and on your PATH.
+    dynamic "exec" {
+      for_each = var.use_exec_plugin_for_auth ? ["once"] : []
+
+      content {
+        api_version = "client.authentication.k8s.io/v1beta1"
+        command     = var.use_kubergrunt_to_fetch_token ? "kubergrunt" : "aws"
+        args = (
+          var.use_kubergrunt_to_fetch_token
+          ? ["eks", "token", "--cluster-id", var.eks_cluster_name]
+          : ["eks", "get-token", "--cluster-name", var.eks_cluster_name]
+        )
+      }
+    }
+  }
+}
+
+provider "kubectl" {
+  host                   = data.aws_eks_cluster.eks_cluster.endpoint
+  cluster_ca_certificate = base64decode(data.aws_eks_cluster.eks_cluster.certificate_authority.0.data)
+  load_config_file       = false
+  exec  {
+    api_version = "client.authentication.k8s.io/v1beta1"
+    command     = "aws"
+    args = (
+        ["eks", "get-token", "--cluster-name", var.eks_cluster_name]
+      )
+  }
+}
\ No newline at end of file
diff --git a/deployments/hyperfine/main.tf b/deployments/hyperfine/main.tf
new file mode 100644
index 0000000000..21d134e27b
--- /dev/null
+++ b/deployments/hyperfine/main.tf
@@ -0,0 +1,87 @@
+terraform {
+  required_version = ">= 1.2.7"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 3.71"
+    }
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = ">= 1.7.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.13.1"
+    }
+    helm = {
+      source  = "hashicorp/helm"
+      version = "~> 2.0"
+    }
+  }
+}
+
+# create kubeflow namespace first
+resource "kubernetes_namespace_v1" "kubeflow" {
+  metadata {
+    labels = {
+      control-plane = "kubeflow"
+      istio-injection = "enabled"
+    }
+
+    name = "kubeflow"
+  }
+}
+
+module "secrets" {
+  source = "../../iaac/terraform/hyperfine/secrets"
+
+  eks_cluster_name = var.eks_cluster_name
+  namespace = kubernetes_namespace_v1.kubeflow.metadata[0].name
+
+  rds_host = var.rds_host
+  rds_secret_name = var.rds_secret_name
+  s3_bucket_name = var.s3_bucket_name
+}
+
+module "kubeflow" {
+  source = "../../iaac/terraform/hyperfine/modules"
+
+  eks_cluster_name = var.eks_cluster_name
+
+  rds_host = module.secrets.rds_host
+  s3_bucket_name = module.secrets.s3_bucket_name
+}
+
+
+module "dex" {
+  source = "../../iaac/terraform/hyperfine/dex"
+
+  eks_cluster_name = var.eks_cluster_name
+
+  oidc_secret_name = var.oidc_secret_name
+  okta_secret_name = var.okta_secret_name
+  kms_key_arns = module.secrets.kms_key_arns
+
+  zone_id = var.zone_id
+  subdomain = var.subdomain
+}
+
+
+module "user" {
+  for_each = var.users
+
+  source = "../../iaac/terraform/hyperfine/user"
+
+  eks_cluster_name = var.eks_cluster_name
+
+
+  email = each.key
+  ssh_key_secret_name = each.value
+
+
+  rds_secret_name = module.secrets.rds_secret_name
+  s3_secret_name = module.secrets.s3_secret_name
+  kms_key_arns = module.secrets.kms_key_arns
+}
+
diff --git a/deployments/hyperfine/variables.tf b/deployments/hyperfine/variables.tf
new file mode 100644
index 0000000000..ecf0919aac
--- /dev/null
+++ b/deployments/hyperfine/variables.tf
@@ -0,0 +1,97 @@
+# access key
+
+variable "s3_bucket_name" {
+  description = "bucket to access"
+  type = string
+}
+
+variable "rds_secret_name" {
+  description = "secretmaanger for rds config"
+  type = string
+}
+
+variable "rds_host" {
+  description = "rds host name to use"
+  type = string
+}
+
+# dex configurations
+
+variable subdomain {
+  description = "subdomain used to access dex"
+  type = string
+  default = "platform"
+}
+
+variable dex_version {
+  description = "helm chart version for dex"
+  type = string
+  default = "0.14.1"
+}
+
+variable zone_id {
+  description = "top level zone to use fo domain"
+  type = string
+}
+
+variable okta_secret_name {
+  description = "secretmanager name to use for okta"
+  type = string
+  # secret format
+  # {
+  #   "okta_client_id":"asdfasdf",
+  #    "okta_client_secret":"asdfasdf",
+  #    "okta_issuer_url":"https://hyperfine.okta.com",
+  #    "okta_client_id_":"asdfasdf",
+  #    "okta_client_secret_":"asdfasdf-asdfasdfG",
+  #    "okta_issuer_url_":"https://dev-1111111.okta.com"
+  #  }
+}
+
+variable oidc_secret_name {
+  description = "secretmanager name to use for auth service"
+  type = string
+  # secret format
+  # {
+  #  "auth_client_id":"kf-oidc-authservice",
+  #   "auth_client_secret":"asdfasdf"
+  #  }
+}
+
+variable oidc_sa_name {
+  description = "service account name to use for oidc"
+  type        = string
+  default     = "oidc-secrets-manager-sa"
+}
+
+variable   auth_namespace {
+  description = "namespace to deploy auth service to"
+  type        = string
+  default     = "auth"
+}
+
+# user configurations
+
+variable users {
+  description = "map of usernames to ssh secret"
+  type        = map(string)
+}
+
+
+# PROVIDER CONFIGS
+variable "eks_cluster_name" {
+  description = "cluster to install to"
+  type = string
+}
+
+variable "use_exec_plugin_for_auth" {
+  description = "If this variable is set to true, then use an exec-based plugin to authenticate and fetch tokens for EKS. This is useful because EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy', and since the native Kubernetes provider in Terraform doesn't have a way to fetch up-to-date tokens, we recommend using an exec-based provider as a workaround. Use the use_kubergrunt_to_fetch_token input variable to control whether kubergrunt or aws is used to fetch tokens."
+  type        = bool
+  default     = true
+}
+
+variable "use_kubergrunt_to_fetch_token" {
+  description = "EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy'. To avoid this issue, we use an exec-based plugin to fetch an up-to-date token. If this variable is set to true, we'll use kubergrunt to fetch the token (in which case, kubergrunt must be installed and on PATH); if this variable is set to false, we'll use the aws CLI to fetch the token (in which case, aws must be installed and on PATH). Note this functionality is only enabled if use_exec_plugin_for_auth is set to true."
+  type        = bool
+  default     = true
+}
\ No newline at end of file
diff --git a/deployments/rds-s3/base/kustomization.yaml b/deployments/rds-s3/base/kustomization.yaml
index 0f6779fb30..f8c5c2c91f 100644
--- a/deployments/rds-s3/base/kustomization.yaml
+++ b/deployments/rds-s3/base/kustomization.yaml
@@ -12,7 +12,7 @@ resources:
   # OIDC Authservice
   - ../../../upstream/common/oidc-authservice/base
   # Dex
-  - ../../../upstream/common/dex/overlays/istio
+  - ../../../awsconfigs/common/dex
   # KNative
   - ../../../upstream/common/knative/knative-serving/overlays/gateways
   - ../../../upstream/common/knative/knative-eventing/base
diff --git a/deployments/vanilla/kustomization.yaml b/deployments/vanilla/kustomization.yaml
index 593b0d59a0..8c755d9879 100644
--- a/deployments/vanilla/kustomization.yaml
+++ b/deployments/vanilla/kustomization.yaml
@@ -12,7 +12,7 @@ resources:
   # OIDC Authservice
   - ../../upstream/common/oidc-authservice/base
   # Dex
-  - ../../upstream/common/dex/overlays/istio
+  - ../../awsconfigs/common/dex
   # KNative
   - ../../upstream/common/knative/knative-serving/overlays/gateways
   - ../../upstream/common/knative/knative-eventing/base
diff --git a/iaac/terraform/hyperfine/dex/dependencies.tf b/iaac/terraform/hyperfine/dex/dependencies.tf
new file mode 100644
index 0000000000..905ba3e109
--- /dev/null
+++ b/iaac/terraform/hyperfine/dex/dependencies.tf
@@ -0,0 +1,27 @@
+data "aws_eks_cluster" "eks_cluster" {
+  name = var.eks_cluster_name
+}
+data aws_caller_identity "current" {}
+data "aws_partition" "current" {}
+
+
+data "aws_eks_cluster_auth" "kubernetes_token" {
+  count = var.use_exec_plugin_for_auth ? 0 : 1
+  name  = var.eks_cluster_name
+}
+
+data "aws_route53_zone" "top_level" {
+  zone_id = var.zone_id
+}
+
+data "aws_secretsmanager_secret" "oidc_secrets" {
+  for_each = local.oidc_secret_names
+  name     = each.key
+}
+
+locals {
+  oidc_id           = trimprefix(data.aws_eks_cluster.eks_cluster.identity.0.oidc.0.issuer, "https://")
+  eks_oidc_provider_arn = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${local.oidc_id}"
+  oidc_secret_names = toset([var.oidc_secret_name, var.okta_secret_name])
+}
+
diff --git a/iaac/terraform/hyperfine/dex/dex.tf b/iaac/terraform/hyperfine/dex/dex.tf
new file mode 100644
index 0000000000..e2759c9638
--- /dev/null
+++ b/iaac/terraform/hyperfine/dex/dex.tf
@@ -0,0 +1,251 @@
+terraform {
+  required_version = ">= 1.2.7"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 3.71"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.13.1"
+    }
+    helm = {
+      source  = "hashicorp/helm"
+      version = "~> 2.0"
+    }
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = ">= 1.7.0"
+    }
+  }
+}
+
+
+
+locals {
+  url = "https://${var.subdomain}.${data.aws_route53_zone.top_level.name}"
+}
+
+
+
+resource "kubernetes_namespace_v1" "auth" {
+  metadata {
+    name = var.auth_namespace
+  }
+}
+
+data "aws_iam_policy_document" "ssm" {
+  version = "2012-10-17"
+
+  statement {
+    effect    = "Allow"
+    actions   = ["kms:Decrypt", "kms:DescribeKey"]
+    resources = var.kms_key_arns
+  }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "secretsmanager:GetSecretValue",
+      "secretsmanager:DescribeSecret"
+    ]
+    resources = [for k, v in data.aws_secretsmanager_secret.oidc_secrets : v.arn]
+  }
+}
+
+resource "aws_iam_policy" "oidc-ssm" {
+  name   = "${var.eks_cluster_name}-${var.auth_sa_name}-ssm-policy"
+  policy = data.aws_iam_policy_document.ssm.json
+}
+
+module "dex-irsa" {
+  source                     = "git::git@github.com:hyperfine/terraform-aws-eks.git//modules/eks-irsa?ref=v0.48.3"
+  kubernetes_namespace       = var.auth_namespace
+  kubernetes_service_account = var.auth_sa_name
+  irsa_iam_policies          = [aws_iam_policy.oidc-ssm.arn]
+  eks_cluster_id             = var.eks_cluster_name
+
+  create_kubernetes_namespace         = false
+  create_service_account_secret_token = true
+}
+
+locals {
+  dex_module_sa = reverse(split("/", module.dex-irsa.service_account))[0] # implicit dependency
+}
+
+resource "kubectl_manifest" "oidc-secret-class" {
+  yaml_body = <<YAML
+apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
+kind: SecretProviderClass
+metadata:
+  name: oidc-secrets
+  namespace: "${kubernetes_namespace_v1.auth.metadata[0].name}"
+spec:
+  provider: aws
+  secretObjects:
+  - secretName: okta-oidc-secrets
+    type: Opaque
+    data:
+    - objectName: "sso_client_id"
+      key: SSO_CLIENT_ID
+    - objectName: "sso_client_secret"
+      key: SSO_CLIENT_SECRET
+    - objectName: "sso_issuer_url"
+      key: SSO_ISSUER_URL
+  - secretName: dex-oidc-client
+    type: Opaque
+    data:
+    - objectName: "auth_client_id"
+      key: OIDC_CLIENT_ID
+    - objectName: "auth_client_secret"
+      key: OIDC_CLIENT_SECRET
+  parameters:
+    objects: |
+      - objectName: "${var.okta_secret_name}"
+        objectType: "secretsmanager"
+        objectAlias: "okta-secret"
+        objectVersionLabel: "AWSCURRENT"
+        jmesPath:
+            - path: "okta_client_id"
+              objectAlias: "sso_client_id"
+            - path: "okta_client_secret"
+              objectAlias: "sso_client_secret"
+            - path: "okta_issuer_url"
+              objectAlias: "sso_issuer_url"
+      - objectName: "${var.oidc_secret_name}"
+        objectType: "secretsmanager"
+        objectAlias: "oidc-secret"
+        objectVersionLabel: "AWSCURRENT"
+        jmesPath:
+            - path: "auth_client_id"
+              objectAlias: "auth_client_id"
+            - path: "auth_client_secret"
+              objectAlias: "auth_client_secret"
+YAML
+}
+
+resource "kubectl_manifest" "oidc-secret-pod" {
+  force_new  = true
+  yaml_body  = <<YAML
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: auth-secrets
+  namespace: "${kubernetes_namespace_v1.auth.metadata[0].name}"
+  labels:
+    app: auth-secrets-deployment
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: auth-secrets-deployment
+  template:
+    metadata:
+      labels:
+        app: auth-secrets-deployment
+    spec:
+      containers:
+      - image: k8s.gcr.io/e2e-test-images/busybox:1.29
+        command:
+        - "/bin/sleep"
+        - "10000"
+        name: secrets
+        volumeMounts:
+        - mountPath: "/mnt/okta-store"
+          name: "${var.okta_secret_name}"
+          readOnly: true
+        - mountPath: "/mnt/oidc-store"
+          name: "${var.oidc_secret_name}"
+          readOnly: true
+      serviceAccountName: "${local.dex_module_sa}"
+      volumes:
+      - csi:
+          driver: secrets-store.csi.k8s.io
+          readOnly: true
+          volumeAttributes:
+            secretProviderClass: oidc-secrets
+        name: "${var.oidc_secret_name}"
+      - csi:
+          driver: secrets-store.csi.k8s.io
+          readOnly: true
+          volumeAttributes:
+            secretProviderClass: oidc-secrets
+        name: "${var.okta_secret_name}"
+YAML
+}
+
+resource "helm_release" "dex" {
+  repository = "https://charts.dexidp.io"
+  name       = "dex"
+  chart      = "dex"
+  version    = var.dex_version
+  namespace  = kubernetes_namespace_v1.auth.metadata[0].name
+
+  values = [<<YAML
+envVars:
+- name: KUBERNETES_POD_NAMESPACE
+  valueFrom:
+    fieldRef:
+      fieldPath: metadata.namespace
+envFrom:
+- secretRef:
+    name: dex-oidc-client
+- secretRef:
+    name: okta-oidc-secrets
+config:
+  storage:
+    type: kubernetes
+    config:
+      inCluster: true
+  oauth2:
+    skipApprovalScreen: true
+  web:
+    http: 0.0.0.0:5556
+  logger:
+    level: "debug"
+    format: text
+  issuer: "${local.url}/dex"
+  connectors:
+  - type: oidc
+    id: okta
+    name: Okta
+    config:
+      insecureSkipEmailVerified: true
+      issuer: '{{ .Env.SSO_ISSUER_URL }}'
+      clientID: '{{ .Env.SSO_CLIENT_ID }}'
+      clientSecret: '{{ .Env.SSO_CLIENT_SECRET }}'
+      redirectURI: "${local.url}/dex/callback"
+  enablePasswordDB: true
+  staticClients:
+  - idEnv: OIDC_CLIENT_ID
+    redirectURIs: ["/login/oidc"]
+    name: 'Dex Login Application'
+    secretEnv: OIDC_CLIENT_SECRET
+YAML
+  ]
+}
+
+resource "kubectl_manifest" "virtual" {
+  yaml_body = <<YAML
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: dex
+  namespace: auth
+spec:
+  gateways:
+  - kubeflow/kubeflow-gateway
+  hosts:
+  - '*'
+  http:
+  - match:
+    - uri:
+        prefix: /dex/
+    route:
+    - destination:
+        host: dex.auth.svc.cluster.local
+        port:
+          number: 5556
+YAML
+}
diff --git a/iaac/terraform/hyperfine/dex/oidc.tf b/iaac/terraform/hyperfine/dex/oidc.tf
new file mode 100644
index 0000000000..d608ec0607
--- /dev/null
+++ b/iaac/terraform/hyperfine/dex/oidc.tf
@@ -0,0 +1,116 @@
+
+
+module "auth-irsa" {
+  source                     = "git::git@github.com:hyperfine/terraform-aws-eks.git//modules/eks-irsa?ref=v0.48.3"
+  kubernetes_namespace       = "istio-system"
+  kubernetes_service_account = "oidc-secrets-manager-sa"
+  irsa_iam_policies          = [aws_iam_policy.oidc-ssm.arn]
+  eks_cluster_id             = var.eks_cluster_name
+
+  create_kubernetes_namespace         = false
+  create_service_account_secret_token = true
+}
+
+locals {
+  auth_module_sa = reverse(split("/", module.auth-irsa.service_account))[0] # implicit dependency
+}
+
+resource "kubectl_manifest" "auth-secret-class" {
+  yaml_body = <<YAML
+apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
+kind: SecretProviderClass
+metadata:
+  name: authservice-secrets
+  namespace: istio-system
+spec:
+  provider: aws
+  secretObjects:
+  - secretName: oidc-authservice-client
+    type: Opaque
+    data:
+    - objectName: "auth_client_id"
+      key: CLIENT_ID
+    - objectName: "auth_client_secret"
+      key: CLIENT_SECRET
+  parameters:
+    objects: |
+      - objectName: "${var.oidc_secret_name}"
+        objectType: "secretsmanager"
+        objectAlias: "oidc-secret"
+        objectVersionLabel: "AWSCURRENT"
+        jmesPath:
+            - path: "auth_client_id"
+              objectAlias: "auth_client_id"
+            - path: "auth_client_secret"
+              objectAlias: "auth_client_secret"
+YAML
+}
+
+resource "kubectl_manifest" "authservice-secret-pod" {
+  yaml_body  = <<YAML
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: authservice-secrets-deployment
+  namespace: istio-system
+  labels:
+    app: authservice-secrets
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: authservice-secrets
+  template:
+    metadata:
+      labels:
+        app: authservice-secrets
+    spec:
+      containers:
+      - image: k8s.gcr.io/e2e-test-images/busybox:1.29
+        command:
+        - "/bin/sleep"
+        - "10000"
+        name: secrets
+        volumeMounts:
+        - mountPath: "/mnt/auth-store"
+          name: "${var.oidc_secret_name}"
+          readOnly: true
+      serviceAccountName: "${local.auth_module_sa}"
+      volumes:
+      - csi:
+          driver: secrets-store.csi.k8s.io
+          readOnly: true
+          volumeAttributes:
+            secretProviderClass: authservice-secrets
+        name: "${var.oidc_secret_name}"
+YAML
+}
+
+resource "kubectl_manifest" "oidc_auth_config" {
+  yaml_body = <<YAML
+apiVersion: v1
+data:
+  AUTHSERVICE_URL_PREFIX: /authservice/
+  OIDC_AUTH_URL: /dex/auth
+  OIDC_PROVIDER: "${local.url}/dex"
+  OIDC_SCOPES: profile email groups
+  PORT: '"8080"'
+  SKIP_AUTH_URI: /dex
+  STORE_PATH: /var/lib/authservice/data.db
+  USERID_CLAIM: email
+  USERID_HEADER: kubeflow-userid
+  USERID_PREFIX: ""
+kind: ConfigMap
+metadata:
+  name: oidc-authservice-parameters
+  namespace: istio-system
+YAML
+}
+
+
+resource "helm_release" "oidc" {
+  name      = "auth-service"
+  namespace = "istio-system"
+  chart     = "../../charts/common/oidc-authservice"
+}
+
diff --git a/iaac/terraform/hyperfine/dex/variables.tf b/iaac/terraform/hyperfine/dex/variables.tf
new file mode 100644
index 0000000000..3944d30160
--- /dev/null
+++ b/iaac/terraform/hyperfine/dex/variables.tf
@@ -0,0 +1,75 @@
+variable "subdomain" {
+  description = "subdomain used to access dex"
+  type        = string
+  default     = "platform"
+}
+
+variable "dex_version" {
+  description = "helm chart version for dex"
+  type        = string
+  default     = "0.14.1"
+}
+
+variable "zone_id" {
+  description = "top level zone to use fo domain"
+  type        = string
+}
+
+variable "kms_key_arns" {
+  description = "kms key arns to allow access to"
+  type        = list(string)
+  default     = []
+}
+
+variable "okta_secret_name" {
+  description = "secretmanager name to use for okta"
+  type        = string
+  # secret format
+  # {
+  #    "okta_client_id":"asdfasdf",
+  #    "okta_client_secret":"asdfasdf",
+  #    "okta_issuer_url":"https://hyperfine.okta.com",
+  #    "okta_client_id_":"asdfasdf",
+  #    "okta_client_secret_":"asdfasdf-asdfasdfG",
+  #    "okta_issuer_url_":"https://dev-1111111.okta.com"
+  #  }
+}
+
+
+variable "oidc_secret_name" {
+  description = "secretmanager name to use for auth service"
+  type        = string
+  # secret format
+  # {
+  #   "auth_client_id":"kf-oidc-authservice",
+  #   "auth_client_secret":"asdfasdf"
+  #  }
+}
+
+variable "auth_sa_name" {
+  description = "service account name to use for dex configuration"
+  default     = "dex-secrets-manager-sa"
+}
+
+variable "auth_namespace" {
+  description = "namespace to deploy auth service to"
+  default     = "auth"
+}
+
+# PROVIDER CONFIGS
+variable "eks_cluster_name" {
+  description = "cluster to install to"
+  type        = string
+}
+
+variable "use_exec_plugin_for_auth" {
+  description = "If this variable is set to true, then use an exec-based plugin to authenticate and fetch tokens for EKS. This is useful because EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy', and since the native Kubernetes provider in Terraform doesn't have a way to fetch up-to-date tokens, we recommend using an exec-based provider as a workaround. Use the use_kubergrunt_to_fetch_token input variable to control whether kubergrunt or aws is used to fetch tokens."
+  type        = bool
+  default     = true
+}
+
+variable "use_kubergrunt_to_fetch_token" {
+  description = "EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy'. To avoid this issue, we use an exec-based plugin to fetch an up-to-date token. If this variable is set to true, we'll use kubergrunt to fetch the token (in which case, kubergrunt must be installed and on PATH); if this variable is set to false, we'll use the aws CLI to fetch the token (in which case, aws must be installed and on PATH). Note this functionality is only enabled if use_exec_plugin_for_auth is set to true."
+  type        = bool
+  default     = true
+}
\ No newline at end of file
diff --git a/iaac/terraform/hyperfine/modules/dependencies.tf b/iaac/terraform/hyperfine/modules/dependencies.tf
new file mode 100644
index 0000000000..10aa5aebb0
--- /dev/null
+++ b/iaac/terraform/hyperfine/modules/dependencies.tf
@@ -0,0 +1,20 @@
+data "aws_partition" "current" {}
+
+data "aws_caller_identity" "current" {}
+
+data "aws_region" "current" {}
+
+data "aws_eks_cluster" "eks_cluster" {
+  name = var.eks_cluster_name
+}
+
+data "aws_eks_cluster_auth" "kubernetes_token" {
+  count = var.use_exec_plugin_for_auth ? 0 : 1
+  name  = var.eks_cluster_name
+}
+
+
+locals {
+  oidc_id = trimprefix(data.aws_eks_cluster.eks_cluster.identity.0.oidc.0.issuer, "https://")
+}
+
diff --git a/iaac/terraform/hyperfine/modules/main.tf b/iaac/terraform/hyperfine/modules/main.tf
new file mode 100644
index 0000000000..20e8ab6295
--- /dev/null
+++ b/iaac/terraform/hyperfine/modules/main.tf
@@ -0,0 +1,246 @@
+terraform {
+  required_version = ">= 1.2.7"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 3.71"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.13.1"
+    }
+    helm = {
+      source  = "hashicorp/helm"
+      version = "~> 2.0"
+    }
+  }
+}
+
+
+
+resource "helm_release" "kubeflow_issuer" {
+  name      = "kubeflow-issuer"
+  namespace = "kubeflow"
+  chart     = "${var.chart_root_folder}/common/kubeflow-issuer"
+}
+
+
+resource "helm_release" "istio" {
+  depends_on = [helm_release.kubeflow_issuer]
+
+  name      = "istio"
+  namespace = "kube-system"
+  chart     = "${var.chart_root_folder}/common/istio"
+}
+
+resource "helm_release" "cluster-local-gateway" {
+  depends_on = [helm_release.istio]
+
+  name      = "cluster-local-gateway"
+  namespace = "kubeflow"
+  chart     = "${var.chart_root_folder}/common/cluster-local-gateway"
+}
+
+
+resource "helm_release" "knative-serving" {
+  depends_on = [helm_release.cluster-local-gateway]
+
+  name      = "knative-serving"
+  namespace = "kubeflow"
+  chart     = "${var.chart_root_folder}/common/knative-serving"
+
+}
+
+resource "helm_release" "kubeflow_knative_eventing" {
+  depends_on = [helm_release.knative-serving]
+
+  name      = "knative-eventing"
+  namespace = "kubeflow"
+  chart     = "${var.chart_root_folder}/common/knative-eventing"
+}
+
+
+resource "helm_release" "kubeflow_roles" {
+  depends_on = [helm_release.istio]
+
+  name      = "kubeflow-roles"
+  namespace = "kubeflow"
+  chart     = "${var.chart_root_folder}/common/kubeflow-roles"
+
+}
+
+resource "helm_release" "kubeflow_istio_resources" {
+  depends_on = [helm_release.kubeflow_roles]
+
+  name      = "kubeflow-istio-resources"
+  namespace = "kubeflow"
+  chart     = "${var.chart_root_folder}/common/kubeflow-istio-resources"
+}
+
+
+resource "helm_release" "kubeflow_pipelines" {
+  depends_on = [helm_release.kubeflow_istio_resources]
+
+  name  = "kubeflow-pipelines"
+  chart = "${var.chart_root_folder}/apps/kubeflow-pipelines/rds-s3"
+  set {
+    name  = "rds.dbHost"
+    value = var.rds_host
+  }
+  set {
+    name  = "rds.mlmdDb"
+    value = "kubeflow"
+  }
+  set {
+    name  = "s3.bucketName"
+    value = var.s3_bucket_name
+  }
+  set {
+    name  = "s3.minioServiceHost"
+    value = "s3.amazonaws.com"
+  }
+  set {
+    name  = "s3.minioServiceRegion"
+    value = var.s3_region
+  }
+}
+
+
+resource "helm_release" "kubeflow_kserve" {
+  depends_on = [helm_release.kubeflow_istio_resources]
+
+  name      = "kserve"
+  namespace = "kubeflow"
+  chart     = "${var.chart_root_folder}/common/kserve"
+}
+
+resource "helm_release" "kubeflow_models_web_app" {
+  depends_on = [helm_release.kubeflow_istio_resources]
+
+  name      = "models-web-app"
+  namespace = "kubeflow"
+  chart     = "${var.chart_root_folder}/apps/models-web-app"
+}
+
+resource "helm_release" "kubeflow_katib" {
+  depends_on = [helm_release.kubeflow_istio_resources]
+
+  name      = "katib"
+  namespace = "kubeflow"
+  chart     = "${var.chart_root_folder}/apps/katib/vanilla"
+}
+
+resource "helm_release" "kubeflow_central_dashboard" {
+  depends_on = [helm_release.kubeflow_istio_resources]
+
+  name      = "central-dashboard"
+  namespace = "kubeflow"
+  chart     = "${var.chart_root_folder}/apps/central-dashboard"
+}
+
+resource "helm_release" "kubeflow_admission_webhook" {
+  depends_on = [helm_release.kubeflow_istio_resources]
+
+  name      = "admission-webhook"
+  namespace = "kubeflow"
+  chart     = "${var.chart_root_folder}/apps/admission-webhook"
+}
+
+resource "helm_release" "kubeflow_notebook_controller" {
+  depends_on = [helm_release.kubeflow_central_dashboard]
+
+  name      = "notebook-controller"
+  namespace = "kubeflow"
+  chart     = "${var.chart_root_folder}/apps/notebook-controller"
+  set {
+    name  = "cullingPolicy.cullIdleTime"
+    value = var.notebook_cull_idle_time
+  }
+  set {
+    name  = "cullingPolicy.enableCulling"
+    value = var.notebook_enable_culling
+  }
+  set {
+    name  = "cullingPolicy.idlenessCheckPeriod"
+    value = var.notebook_idleness_check_period
+  }
+
+
+}
+
+resource "helm_release" "kubeflow_jupyter_web_app" {
+  depends_on = [helm_release.kubeflow_central_dashboard]
+
+  name      = "jupyter-web-app"
+  namespace = "kubeflow"
+  chart     = "${var.chart_root_folder}/apps/jupyter-web-app"
+  version   = "0.2.2"
+}
+
+
+resource "helm_release" "kubeflow_profiles_and_kfam" {
+  depends_on = [helm_release.kubeflow_central_dashboard]
+
+  name      = "profiles-and-kfam"
+  namespace = "kubeflow"
+  chart     = "${var.chart_root_folder}/apps/profiles-and-kfam"
+}
+
+resource "helm_release" "kubeflow_volumes_web_app" {
+  depends_on = [helm_release.kubeflow_central_dashboard]
+
+  name      = "volumes-web-app"
+  namespace = "kubeflow"
+  chart     = "${var.chart_root_folder}/apps/volumes-web-app"
+}
+
+resource "helm_release" "kubeflow_tensorboards_web_app" {
+  depends_on = [helm_release.kubeflow_central_dashboard]
+
+  name      = "tensorboards-web-app"
+  namespace = "kubeflow"
+  chart     = "${var.chart_root_folder}/apps/tensorboards-web-app"
+}
+
+resource "helm_release" "kubeflow_tensorboard_controller" {
+  depends_on = [helm_release.kubeflow_central_dashboard]
+
+  name      = "tensorboard-controller"
+  namespace = "kubeflow"
+  chart     = "${var.chart_root_folder}/apps/tensorboard-controller"
+}
+
+resource "helm_release" "kubeflow_training_operator" {
+  depends_on = [helm_release.kubeflow_central_dashboard]
+
+  name      = "training-operator"
+  namespace = "kubeflow"
+  chart     = "${var.chart_root_folder}/apps/training-operator"
+}
+
+resource "helm_release" "kubeflow_aws_telemetry" {
+  count      = var.enable_aws_telemetry ? 1 : 0
+  depends_on = [helm_release.kubeflow_central_dashboard]
+
+  name      = "aws-telemetry"
+  namespace = "kubeflow"
+  chart     = "${var.chart_root_folder}/common/aws-telemetry"
+
+}
+
+resource "helm_release" "kubeflow_user_namespace" {
+  depends_on = [helm_release.kubeflow_central_dashboard]
+
+  name      = "user-namespace"
+  namespace = "kubeflow"
+  chart     = "${var.chart_root_folder}/common/user-namespace"
+
+}
+
+/*
+module "ack_sagemaker" {
+  source            = "../../common/ack-sagemaker-controller"
+  addon_context = module.context.addon_context
+}
+*/
\ No newline at end of file
diff --git a/iaac/terraform/hyperfine/modules/outputs.tf b/iaac/terraform/hyperfine/modules/outputs.tf
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/iaac/terraform/hyperfine/modules/variables.tf b/iaac/terraform/hyperfine/modules/variables.tf
new file mode 100644
index 0000000000..78eee16e9e
--- /dev/null
+++ b/iaac/terraform/hyperfine/modules/variables.tf
@@ -0,0 +1,72 @@
+variable "chart_root_folder" {
+  description = "root folder of charts"
+  type        = string
+  default     = "../../charts"
+}
+
+variable "rds_host" {
+  description = "rds host name to use"
+  type        = string
+}
+
+variable "s3_bucket_name" {
+  description = "s3 bucket name to use"
+  type        = string
+}
+
+variable "s3_region" {
+  description = "region for s3 bucket"
+  type        = string
+  default     = "us-east-1"
+}
+
+
+variable "istio_version" {
+  description = "helm chart version for istio" #  https://artifacthub.io/packages/helm/istio-official/base
+  type        = string
+  default     = "1.16.5"
+}
+
+### notebook configurations
+
+variable "enable_aws_telemetry" {
+  description = "Enable AWS telemetry component"
+  type        = bool
+  default     = true
+}
+
+variable "notebook_enable_culling" {
+  description = "Enable Notebook culling feature. If set to true then the Notebook Controller will scale all Notebooks with Last activity older than the notebook_cull_idle_time to zero"
+  type        = string
+  default     = false
+}
+
+variable "notebook_cull_idle_time" {
+  description = "If a Notebook's LAST_ACTIVITY_ANNOTATION from the current timestamp exceeds this value then the Notebook will be scaled to zero (culled). ENABLE_CULLING must be set to 'true' for this setting to take effect.(minutes)"
+  type        = string
+  default     = 30
+}
+
+variable "notebook_idleness_check_period" {
+  description = "How frequently the controller should poll each Notebook to update its LAST_ACTIVITY_ANNOTATION (minutes)"
+  type        = string
+  default     = 5
+}
+
+# PROVIDER CONFIGS
+variable "eks_cluster_name" {
+  description = "cluster to install kubeflow to"
+  type        = string
+}
+
+variable "use_exec_plugin_for_auth" {
+  description = "If this variable is set to true, then use an exec-based plugin to authenticate and fetch tokens for EKS. This is useful because EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy', and since the native Kubernetes provider in Terraform doesn't have a way to fetch up-to-date tokens, we recommend using an exec-based provider as a workaround. Use the use_kubergrunt_to_fetch_token input variable to control whether kubergrunt or aws is used to fetch tokens."
+  type        = bool
+  default     = true
+}
+
+variable "use_kubergrunt_to_fetch_token" {
+  description = "EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy'. To avoid this issue, we use an exec-based plugin to fetch an up-to-date token. If this variable is set to true, we'll use kubergrunt to fetch the token (in which case, kubergrunt must be installed and on PATH); if this variable is set to false, we'll use the aws CLI to fetch the token (in which case, aws must be installed and on PATH). Note this functionality is only enabled if use_exec_plugin_for_auth is set to true."
+  type        = bool
+  default     = true
+}
\ No newline at end of file
diff --git a/iaac/terraform/hyperfine/secrets/dependencies.tf b/iaac/terraform/hyperfine/secrets/dependencies.tf
new file mode 100644
index 0000000000..bf2ccdd151
--- /dev/null
+++ b/iaac/terraform/hyperfine/secrets/dependencies.tf
@@ -0,0 +1,29 @@
+data "aws_caller_identity" "current" {}
+
+data "aws_eks_cluster" "eks_cluster" {
+  name = var.eks_cluster_name
+}
+
+data "aws_eks_cluster_auth" "kubernetes_token" {
+  count = var.use_exec_plugin_for_auth ? 0 : 1
+  name  = var.eks_cluster_name
+}
+
+
+data "aws_s3_bucket" "bucket" {
+  bucket = var.s3_bucket_name
+}
+
+data "aws_secretsmanager_secret" "rds" {
+  name = var.rds_secret_name
+}
+
+data "aws_secretsmanager_secret_version" "rds_secret_version" {
+  secret_id = data.aws_secretsmanager_secret.rds.id
+}
+
+locals {
+  rds_secret = jsondecode(data.aws_secretsmanager_secret_version.rds_secret_version.secret_string)
+  oidc_id    = trimprefix(data.aws_eks_cluster.eks_cluster.identity.0.oidc.0.issuer, "https://")
+
+}
\ No newline at end of file
diff --git a/iaac/terraform/hyperfine/secrets/main.tf b/iaac/terraform/hyperfine/secrets/main.tf
new file mode 100644
index 0000000000..68264e868e
--- /dev/null
+++ b/iaac/terraform/hyperfine/secrets/main.tf
@@ -0,0 +1,154 @@
+terraform {
+  required_version = ">= 1.2.7"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 3.71"
+    }
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = ">= 1.7.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.13.1"
+    }
+  }
+}
+
+
+resource "aws_kms_key" "kms" {
+  description             = "${var.eks_cluster_name}-kf-kms"
+  deletion_window_in_days = 7
+  enable_key_rotation     = true
+  policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Sid" : "Allow access to kubeflow secrets",
+        "Effect" : "Allow",
+        "Principal" : {
+          "AWS" : [
+            data.aws_caller_identity.current.arn,
+            "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
+            aws_iam_user.s3_user.arn,
+          ]
+        },
+        "Action" : [
+          "kms:*"
+        ],
+        "Resource" : "*"
+    }]
+  })
+}
+
+resource "aws_kms_alias" "alias" {
+  target_key_id = aws_kms_key.kms.key_id
+  name          = "alias/${var.eks_cluster_name}-kf-kms"
+}
+
+resource "aws_iam_user" "s3_user" {
+  #checkov:skip=CKV_AWS_273: https://github.com/awslabs/kubeflow-manifests/issues/44 minio proxy access
+  name = "${var.eks_cluster_name}-${var.s3_bucket_name}-kf"
+}
+
+resource "aws_iam_access_key" "s3_keys" {
+  user = aws_iam_user.s3_user.name
+}
+
+resource "aws_iam_policy" "s3_policy" {
+  name = "${var.eks_cluster_name}-${var.s3_bucket_name}-secret"
+  policy = jsonencode(
+    {
+      "Version" : "2012-10-17",
+      "Statement" : [
+        {
+          "Effect" : "Allow",
+          "Action" : [
+            "s3:ListBucket",
+            "s3:GetBucketLocation"
+          ],
+          "Resource" : [data.aws_s3_bucket.bucket.arn]
+        },
+        {
+          "Effect" : "Allow",
+          "Action" : [
+            "s3:GetBucketLocation",
+            "s3:PutObject",
+            "s3:GetObject",
+            "s3:DeleteObject"
+          ],
+          "Resource" : ["${data.aws_s3_bucket.bucket.arn}/*"]
+        }
+      ]
+    }
+  )
+}
+
+resource "aws_iam_group" "minio-group" {
+  name = "${var.eks_cluster_name}-minio"
+}
+
+resource "aws_iam_group_membership" "minio-group-membership" {
+  group = aws_iam_group.minio-group.name
+  users = [aws_iam_user.s3_user.name]
+  name  = "${var.eks_cluster_name}-minio-group-membership"
+}
+
+resource "aws_iam_group_policy_attachment" "s3-policy" {
+  group      = aws_iam_group.minio-group.name
+  policy_arn = aws_iam_policy.s3_policy.arn
+}
+
+resource "aws_secretsmanager_secret" "s3-secret" {
+  name                    = "${var.eks_cluster_name}-kf-s3-secret"
+  recovery_window_in_days = 0
+  kms_key_id              = aws_kms_key.kms.arn
+}
+
+resource "aws_secretsmanager_secret_version" "s3-secret-version" {
+  secret_id = aws_secretsmanager_secret.s3-secret.id
+  secret_string = jsonencode({
+    "accesskey" : aws_iam_access_key.s3_keys.id,
+    "secretkey" : aws_iam_access_key.s3_keys.secret
+  })
+}
+
+resource "aws_secretsmanager_secret" "rds-secret" {
+  name                    = "${var.eks_cluster_name}-kf-rds-secret"
+  recovery_window_in_days = 0
+  kms_key_id              = aws_kms_key.kms.arn
+}
+
+# add additional info to rds secret and encrypt for kubeflow
+resource "aws_secretsmanager_secret_version" "rds-secret-version" {
+  secret_id = aws_secretsmanager_secret.rds-secret.id
+  secret_string = jsonencode({
+    "database" : local.rds_secret["dbname"],
+    "host" : var.rds_host,
+    "password" : local.rds_secret["password"],
+    "port" : local.rds_secret["port"],
+    "username" : local.rds_secret["username"]
+  })
+}
+
+
+data "aws_iam_policy_document" "kf-ssm" {
+  version = "2012-10-17"
+
+  statement {
+    effect    = "Allow"
+    actions   = ["kms:Decrypt", "kms:DescribeKey"]
+    resources = concat([aws_kms_key.kms.arn], var.additional_kms_key_arns)
+  }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "secretsmanager:GetSecretValue",
+      "secretsmanager:DescribeSecret"
+    ]
+    resources = [aws_secretsmanager_secret.rds-secret.arn, aws_secretsmanager_secret.s3-secret.arn]
+  }
+}
diff --git a/iaac/terraform/hyperfine/secrets/outputs.tf b/iaac/terraform/hyperfine/secrets/outputs.tf
new file mode 100644
index 0000000000..6fbcd8caad
--- /dev/null
+++ b/iaac/terraform/hyperfine/secrets/outputs.tf
@@ -0,0 +1,24 @@
+
+output "rds_secret_name" {
+  value = aws_secretsmanager_secret.rds-secret.name
+}
+
+output "s3_secret_name" {
+  value = aws_secretsmanager_secret.s3-secret.name
+}
+
+output "kms_key_arns" {
+  value = concat([aws_kms_key.kms.arn], var.additional_kms_key_arns)
+}
+
+output "rds_host" {
+  value = var.rds_host
+}
+
+output "s3_bucket_name" {
+  value = var.s3_bucket_name
+}
+
+output "s3_region" {
+  value = var.s3_region
+}
\ No newline at end of file
diff --git a/iaac/terraform/hyperfine/secrets/secrets.tf b/iaac/terraform/hyperfine/secrets/secrets.tf
new file mode 100644
index 0000000000..30a443e480
--- /dev/null
+++ b/iaac/terraform/hyperfine/secrets/secrets.tf
@@ -0,0 +1,130 @@
+
+resource "aws_iam_policy" "ssm-access" {
+  name   = "${var.eks_cluster_name}-${var.service_account_name}-policy"
+  policy = data.aws_iam_policy_document.kf-ssm.json
+}
+
+module "irsa" {
+  source                     = "git::git@github.com:hyperfine/terraform-aws-eks.git//modules/eks-irsa?ref=v0.48.3"
+  kubernetes_namespace       = var.namespace
+  kubernetes_service_account = var.service_account_name
+  irsa_iam_policies          = [aws_iam_policy.ssm-access.arn]
+  eks_cluster_id             = var.eks_cluster_name
+
+  create_kubernetes_namespace         = false
+  create_service_account_secret_token = true
+}
+
+locals {
+  module_sa = reverse(split("/", module.irsa.service_account))[0]
+}
+
+resource "kubectl_manifest" "kf-secret-class" {
+  yaml_body = <<YAML
+apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
+kind: SecretProviderClass
+metadata:
+  name: aws-secrets
+  namespace: "${module.irsa.namespace}"
+spec:
+  provider: aws
+  secretObjects:
+  - secretName: mysql-secret
+    type: Opaque
+    data:
+    - objectName: "user"
+      key: username
+    - objectName: "pass"
+      key: password
+    - objectName: "host"
+      key: host
+    - objectName: "database"
+      key: database
+    - objectName: "port"
+      key: port
+  - secretName: mlpipeline-minio-artifact
+    type: Opaque
+    data:
+    - objectName: "access"
+      key: accesskey
+    - objectName: "secret"
+      key: secretkey
+  parameters:
+    objects: |
+      - objectName: "${aws_secretsmanager_secret.rds-secret.name}"
+        objectType: "secretsmanager"
+        objectAlias: "rds-secret"
+        objectVersionLabel: "AWSCURRENT"
+        jmesPath:
+            - path: "username"
+              objectAlias: "user"
+            - path: "password"
+              objectAlias: "pass"
+            - path: "host"
+              objectAlias: "host"
+            - path: "database"
+              objectAlias: "database"
+            - path: "port"
+              objectAlias: "port"
+      - objectName: "${aws_secretsmanager_secret.s3-secret.name}"
+        objectType: "secretsmanager"
+        objectAlias: "s3-secret"
+        objectVersionLabel: "AWSCURRENT"
+        jmesPath:
+            - path: "accesskey"
+              objectAlias: "access"
+            - path: "secretkey"
+              objectAlias: "secret"
+YAML
+}
+
+
+resource "kubectl_manifest" "kf-secret-pod" {
+  depends_on = [kubectl_manifest.kf-secret-class]
+  yaml_body  = <<YAML
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kf-secrets-deployment
+  namespace: "${module.irsa.namespace}"
+  labels:
+    app: kf-secrets
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: kf-secrets
+  template:
+    metadata:
+      labels:
+        app: kf-secrets
+    spec:
+      containers:
+      - image: k8s.gcr.io/e2e-test-images/busybox:1.29
+        command:
+        - "/bin/sleep"
+        - "10000"
+        name: secrets
+        volumeMounts:
+        - mountPath: "/mnt/rds-store"
+          name: "${aws_secretsmanager_secret.rds-secret.name}"
+          readOnly: true
+        - mountPath: "/mnt/aws-store"
+          name: "${aws_secretsmanager_secret.s3-secret.name}"
+          readOnly: true
+      serviceAccountName: "${local.module_sa}"
+      volumes:
+      - csi:
+          driver: secrets-store.csi.k8s.io
+          readOnly: true
+          volumeAttributes:
+            secretProviderClass: aws-secrets
+        name: "${aws_secretsmanager_secret.rds-secret.name}"
+      - csi:
+          driver: secrets-store.csi.k8s.io
+          readOnly: true
+          volumeAttributes:
+            secretProviderClass: aws-secrets
+        name: "${aws_secretsmanager_secret.s3-secret.name}"
+YAML
+}
diff --git a/iaac/terraform/hyperfine/secrets/variables.tf b/iaac/terraform/hyperfine/secrets/variables.tf
new file mode 100644
index 0000000000..5b16cdda1a
--- /dev/null
+++ b/iaac/terraform/hyperfine/secrets/variables.tf
@@ -0,0 +1,60 @@
+# access key info
+variable "s3_bucket_name" {
+  description = "bucket to access"
+  type        = string
+}
+
+variable "rds_secret_name" {
+  description = "secretmaanger for rds config"
+  type        = string
+}
+
+variable "rds_host" {
+  description = "rds host name to use"
+  type        = string
+}
+
+variable "s3_region" {
+  description = "region for s3 bucket"
+  type        = string
+  default     = "us-east-1"
+}
+
+# optional
+
+variable "namespace" {
+  description = "namespace to create secrets in"
+  type = string
+  default = "kubeflow"
+}
+
+variable "service_account_name" {
+  description = "name of service account to use"
+  type = string
+  default = "kf-secrets-manager-sa"
+}
+
+variable "additional_kms_key_arns" {
+  description = "list of kms keys to add to"
+  type        = list(string)
+  default     = []
+}
+
+
+# PROVIDER CONFIGS
+variable "eks_cluster_name" {
+  description = "cluster to install kubeflow to"
+  type        = string
+}
+
+variable "use_exec_plugin_for_auth" {
+  description = "If this variable is set to true, then use an exec-based plugin to authenticate and fetch tokens for EKS. This is useful because EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy', and since the native Kubernetes provider in Terraform doesn't have a way to fetch up-to-date tokens, we recommend using an exec-based provider as a workaround. Use the use_kubergrunt_to_fetch_token input variable to control whether kubergrunt or aws is used to fetch tokens."
+  type        = bool
+  default     = true
+}
+
+variable "use_kubergrunt_to_fetch_token" {
+  description = "EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy'. To avoid this issue, we use an exec-based plugin to fetch an up-to-date token. If this variable is set to true, we'll use kubergrunt to fetch the token (in which case, kubergrunt must be installed and on PATH); if this variable is set to false, we'll use the aws CLI to fetch the token (in which case, aws must be installed and on PATH). Note this functionality is only enabled if use_exec_plugin_for_auth is set to true."
+  type        = bool
+  default     = true
+}
\ No newline at end of file
diff --git a/iaac/terraform/hyperfine/user/dependencies.tf b/iaac/terraform/hyperfine/user/dependencies.tf
new file mode 100644
index 0000000000..3d9641fa2e
--- /dev/null
+++ b/iaac/terraform/hyperfine/user/dependencies.tf
@@ -0,0 +1,16 @@
+data "aws_caller_identity" "current" {}
+
+locals {
+  oidc_id      = trimprefix(data.aws_eks_cluster.cluster.identity.0.oidc.0.issuer, "https://")
+  secret_names = toset([var.rds_secret_name, var.s3_secret_name, var.ssh_key_secret_name])
+}
+
+data "aws_secretsmanager_secret" "secrets" {
+  for_each = local.secret_names
+  name     = each.key
+}
+
+
+data "aws_eks_cluster" "cluster" {
+  name = var.eks_cluster_name
+}
diff --git a/iaac/terraform/hyperfine/user/main.tf b/iaac/terraform/hyperfine/user/main.tf
new file mode 100644
index 0000000000..390e6a2711
--- /dev/null
+++ b/iaac/terraform/hyperfine/user/main.tf
@@ -0,0 +1,101 @@
+terraform {
+  required_providers {
+    aws = {
+      version = ">= 3.71"
+    }
+    helm = {
+      source  = "hashicorp/helm"
+      version = "~> 2.0"
+    }
+  }
+}
+
+resource "kubernetes_namespace_v1" "ns" {
+  metadata {
+    name = split("@", var.email)[0]
+
+    labels = {
+      "app.kubernetes.io/part-of"                      = "kubeflow-profile"
+      "katib.kubeflow.org/metrics-collector-injection" = "enabled"
+      "pipelines.kubeflow.org/enabled"                 = "true"
+      "serving.kubeflow.org/inferenceservice"          = "enabled"
+    }
+
+    annotations = {
+      owner: var.email
+    }
+  }
+
+  lifecycle {
+    ignore_changes = [
+      metadata[0].labels["app.kubernetes.io/part-of"],
+      metadata[0].labels["katib.kubeflow.org/metrics-collector-injection"],
+      metadata[0].labels["pipelines.kubeflow.org/enabled"],
+      metadata[0].labels["serving.kubeflow.org/inferenceservice"]
+    ]
+  }
+}
+
+locals {
+  name = kubernetes_namespace_v1.ns.metadata[0].name
+  email = var.email
+  sa_name = "${local.name}-sa"
+}
+
+data "aws_iam_policy_document" "ssm" {
+  version = "2012-10-17"
+
+  statement {
+    effect    = "Allow"
+    actions   = ["kms:Decrypt", "kms:DescribeKey"]
+    resources = var.kms_key_arns
+  }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "secretsmanager:GetSecretValue",
+      "secretsmanager:DescribeSecret"
+    ]
+    resources = [for k, v in data.aws_secretsmanager_secret.secrets : v.arn]
+  }
+}
+
+resource "aws_iam_policy" "ssm" {
+  name   = "${var.eks_cluster_name}-${local.name}-sa-ssm-policy"
+  policy = data.aws_iam_policy_document.ssm.json
+}
+
+
+module "irsa" {
+  source                     = "git::git@github.com:hyperfine/terraform-aws-eks.git//modules/eks-irsa?ref=v0.48.3"
+  kubernetes_namespace       = local.name
+  kubernetes_service_account = local.sa_name
+  irsa_iam_policies          = [aws_iam_policy.ssm.arn]
+  eks_cluster_id             = var.eks_cluster_name
+
+  create_kubernetes_namespace         = false
+  create_service_account_secret_token = true
+}
+
+locals {
+  module_sa = reverse(split("/", module.irsa.service_account))[0] # implicit dependency
+}
+
+resource "helm_release" "user" {
+  chart = "../../charts/hyperfine/user"
+
+  namespace = local.name
+  name = "${local.name}-kf-user"
+
+  values = [<<YAML
+name: ${local.name}
+email: ${local.email}
+s3SecretName: ${var.s3_secret_name}
+rdsSecretName: ${var.rds_secret_name}
+sshKeySecretName: ${var.ssh_key_secret_name}
+efsStorageClassName: ${var.efs_storage_class_name}
+serviceAccountName: ${local.module_sa}
+YAML
+  ]
+}
\ No newline at end of file
diff --git a/iaac/terraform/hyperfine/user/outputs.tf b/iaac/terraform/hyperfine/user/outputs.tf
new file mode 100644
index 0000000000..722ec28601
--- /dev/null
+++ b/iaac/terraform/hyperfine/user/outputs.tf
@@ -0,0 +1,3 @@
+output "irsa_iam_role_arn" {
+  value = module.irsa.irsa_iam_role_arn
+}
\ No newline at end of file
diff --git a/iaac/terraform/hyperfine/user/variables.tf b/iaac/terraform/hyperfine/user/variables.tf
new file mode 100644
index 0000000000..6b49dbc4dc
--- /dev/null
+++ b/iaac/terraform/hyperfine/user/variables.tf
@@ -0,0 +1,37 @@
+
+variable "email" {
+  description = "email to use for username@domain.com"
+  type        = string
+}
+
+variable "rds_secret_name" {
+  description = "secretmamanger secet for rds access"
+  type        = string
+}
+
+variable "s3_secret_name" {
+  description = "secretmanager secret for s3 access"
+  type        = string
+}
+
+variable "ssh_key_secret_name" {
+  description = "secretmanager secret for user's ssh key"
+  type        = string
+}
+
+variable "efs_storage_class_name" {
+  description = "efs storage class name to create pvc for"
+  type        = string
+  default     = "dl-efs-home-sc"
+}
+
+variable "kms_key_arns" {
+  description = "kms key arns to allow access to"
+  type        = list(string)
+  default     = []
+}
+
+variable "eks_cluster_name" {
+  description = "cluster to install to"
+  type        = string
+}
diff --git a/tests/e2e/resources/installation_config/rds-only.yaml b/tests/e2e/resources/installation_config/rds-only.yaml
index 31a31058a7..55416259a0 100644
--- a/tests/e2e/resources/installation_config/rds-only.yaml
+++ b/tests/e2e/resources/installation_config/rds-only.yaml
@@ -55,7 +55,7 @@ dex:
   installation_options:
     kustomize:
       paths: 
-        - ../../upstream/common/dex/overlays/istio
+        - ../../awsconfigs/common/dex
     helm: 
       paths: ../../charts/common/dex
   validations:
diff --git a/tests/e2e/resources/installation_config/rds-s3.yaml b/tests/e2e/resources/installation_config/rds-s3.yaml
index 8d5519cfa4..b9f5c07dce 100644
--- a/tests/e2e/resources/installation_config/rds-s3.yaml
+++ b/tests/e2e/resources/installation_config/rds-s3.yaml
@@ -55,7 +55,7 @@ dex:
   installation_options:
     kustomize:
       paths: 
-        - ../../upstream/common/dex/overlays/istio
+        - ../../awsconfigs/common/dex
     helm: 
       paths: ../../charts/common/dex
   validations:
diff --git a/tests/e2e/resources/installation_config/s3-only.yaml b/tests/e2e/resources/installation_config/s3-only.yaml
index 1fce5e52ad..dd3e47fd12 100644
--- a/tests/e2e/resources/installation_config/s3-only.yaml
+++ b/tests/e2e/resources/installation_config/s3-only.yaml
@@ -55,7 +55,7 @@ dex:
   installation_options:
     kustomize:
       paths: 
-        - ../../upstream/common/dex/overlays/istio
+        - ../../awsconfigs/common/dex
     helm: 
       paths: ../../charts/common/dex
   validations:
diff --git a/tests/e2e/resources/installation_config/vanilla.yaml b/tests/e2e/resources/installation_config/vanilla.yaml
index 0e5f62259a..8335a3049e 100644
--- a/tests/e2e/resources/installation_config/vanilla.yaml
+++ b/tests/e2e/resources/installation_config/vanilla.yaml
@@ -58,7 +58,7 @@ dex:
   installation_options:
     kustomize:
       paths: 
-        - ../../upstream/common/dex/overlays/istio
+        - ../../awsconfigs/common/dex
     helm: 
       paths: ../../charts/common/dex
   validations:
diff --git a/tests/e2e/tests/test_sanity.py b/tests/e2e/tests/test_sanity.py
index 86df622981..be8c553af7 100644
--- a/tests/e2e/tests/test_sanity.py
+++ b/tests/e2e/tests/test_sanity.py
@@ -73,6 +73,10 @@
 from e2e.utils.s3_for_training.data_bucket import S3BucketWithTrainingData
 
 
+from e2e.utils.aws.iam import IAMRole
+from e2e.utils.s3_for_training.data_bucket import S3BucketWithTrainingData
+
+
 INSTALLATION_PATH_FILE = "./resources/installation_config/vanilla.yaml"
 CUSTOM_RESOURCE_TEMPLATES_FOLDER = "./resources/custom-resource-templates"
 PROFILE_NAMESPACE = "kubeflow-user-example-com"
@@ -80,6 +84,9 @@
 RANDOM_PREFIX = rand_name("kfp-")
 PIPELINE_NAME_KFP = "[Tutorial] SageMaker Training"
 
+RANDOM_PREFIX = rand_name("kfp-")
+PIPELINE_NAME_KFP = "[Tutorial] SageMaker Training"
+
 
 @pytest.fixture(scope="class")
 def installation_path():
@@ -189,6 +196,53 @@ def host(setup_load_balancer):
     print(f"accessing {host}...")
     return host
 
+
+@pytest.fixture(scope="class")
+def sagemaker_execution_role(region, metadata, request):
+    sagemaker_execution_role_name = "role-" + RANDOM_PREFIX
+    managed_policies = [
+        "arn:aws:iam::aws:policy/AmazonS3FullAccess",
+        "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess",
+    ]
+    role = IAMRole(
+        name=sagemaker_execution_role_name, region=region, policy_arns=managed_policies
+    )
+    metadata_key = "sagemaker_execution_role"
+
+    resource_details = {}
+
+    def on_create():
+        trust_policy = {
+            "Version": "2012-10-17",
+            "Statement": [
+                {
+                    "Effect": "Allow",
+                    "Principal": {"Service": "sagemaker.amazonaws.com"},
+                    "Action": "sts:AssumeRole",
+                }
+            ],
+        }
+
+        sagemaker_execution_role_arn = role.create(
+            policy_document=json.dumps(trust_policy)
+        )
+
+        resource_details["name"] = sagemaker_execution_role_name
+        resource_details["arn"] = sagemaker_execution_role_arn
+
+    def on_delete():
+        role.delete()
+
+    return configure_resource_fixture(
+        metadata=metadata,
+        request=request,
+        resource_details=resource_details,
+        metadata_key=metadata_key,
+        on_create=on_create,
+        on_delete=on_delete,
+    )
+
+
 @pytest.fixture(scope="class")
 def sagemaker_execution_role(region, metadata, request):
     sagemaker_execution_role_name = "role-" + RANDOM_PREFIX
diff --git a/tests/e2e/utils/rds-s3/auto-rds-s3-setup.py b/tests/e2e/utils/rds-s3/auto-rds-s3-setup.py
index caa3b36eeb..00c3a00191 100644
--- a/tests/e2e/utils/rds-s3/auto-rds-s3-setup.py
+++ b/tests/e2e/utils/rds-s3/auto-rds-s3-setup.py
@@ -32,6 +32,7 @@
 from shutil import which
 
 
+
 def main():
     verify_prerequisites()
     s3_client = get_s3_client(
diff --git a/website/config.toml b/website/config.toml
index ef1624e301..b595d4b6f6 100644
--- a/website/config.toml
+++ b/website/config.toml
@@ -102,7 +102,7 @@ disableKinds = ["taxonomy", "taxonomyTerm"]
   # The major.minor version tag for the version of the docs represented in this
   # branch of the repository. Used in the "version-banner" partial to display a
   # version number for this doc set.
-  version = "main"
+  version = "1.6"
 
   # Flag used in the "version-banner" partial to decide whether to display a
   # banner on every page indicating that this is an archived version of the docs.
diff --git a/website/content/en/blog/_index.md b/website/content/en/blog/_index.md
index e2f41df727..bd6e363632 100644
--- a/website/content/en/blog/_index.md
+++ b/website/content/en/blog/_index.md
@@ -23,13 +23,11 @@ Find case studies, use cases, best practices, benchmarks, and more.
     * Support for running machine learning workloads on Amazon SageMaker from Kubeflow.
     * Enhanced monitoring and observability for ML workloads using Amazon Managed Prometheus (AMP) and Amazon Managed Grafana.
 
-1. [Build and deploy a scalable machine learning system on Kubernetes with Kubeflow on AWS](https://aws.amazon.com/blogs/machine-learning/build-and-deploy-a-scalable-machine-learning-system-on-kubernetes-with-kubeflow-on-aws/). This blog post is based on Kubeflow-1.4 and is listed here for educational purpose. AWS distribution of Kubeflow might have changed since then. We recommend to install the [latest version](http://localhost:1313/kubeflow-manifests/main/docs/deployment/prerequisites/).
+2. [Build and deploy a scalable machine learning system on Kubernetes with Kubeflow on AWS](https://aws.amazon.com/blogs/machine-learning/build-and-deploy-a-scalable-machine-learning-system-on-kubernetes-with-kubeflow-on-aws/). This blog post is based on Kubeflow-1.4 and is listed here for educational purpose. AWS distribution of Kubeflow might have changed since then. We recommend to install the [latest version](http://localhost:1313/kubeflow-manifests/main/docs/deployment/prerequisites/).
 
-1. Find out how [Athenahealth uses Kubeflow on AWS](https://aws.amazon.com/blogs/machine-learning/build-repeatable-secure-and-extensible-end-to-end-machine-learning-workflows-using-kubeflow-on-aws/) to build and streamline an end-to-end data science workflow that preserves essential tooling, optimizes operational efficiency, increases data scientist productivity, and sets the stage for extending their ML capabilities more easily.
+3. Find out how [Athenahealth uses Kubeflow on AWS](https://aws.amazon.com/blogs/machine-learning/build-repeatable-secure-and-extensible-end-to-end-machine-learning-workflows-using-kubeflow-on-aws/) to build and streamline an end-to-end data science workflow that preserves essential tooling, optimizes operational efficiency, increases data scientist productivity, and sets the stage for extending their ML capabilities more easily.
 
-1. [Build an hybrid distributed training architecture using Kubeflow on AWS and Amazon SageMaker](https://aws.amazon.com/blogs/machine-learning/build-flexible-and-scalable-distributed-training-architectures-using-kubeflow-on-aws-and-amazon-sagemaker/). This post further illustrates how you can use open-source libraries in your deep learning training script and still make it compatible to run on both Kubernetes and SageMaker in a platform agnostic way.
-
-1. [Use Amazon SageMaker Operators for Kubernetes (ACK) to train and deploy machine learning models](https://aws.amazon.com/blogs/machine-learning/use-amazon-sagemaker-ack-operators-to-train-and-deploy-machine-learning-models/).
+4. [Build an hybrid distributed training architecture using Kubeflow on AWS and Amazon SageMaker](https://aws.amazon.com/blogs/machine-learning/build-flexible-and-scalable-distributed-training-architectures-using-kubeflow-on-aws-and-amazon-sagemaker/). This post further illustrates how you can use open-source libraries in your deep learning training script and still make it compatible to run on both Kubernetes and SageMaker in a platform agnostic way.
 
 ## Watch 
 
@@ -38,10 +36,10 @@ This section curates a list of recorded virtual workshops, demos, and general pr
 1. [Train and deploy your deep learning models with AWS distribution of Kubeflow integrated with Amazon SageMaker](https://pages.awscloud.com/Train-and-deploy-your-deep-learning-models-with-AWS-distribution-of-Kubeflow-integrated-with-Amazon-SageMaker_2022_VW_s50e02-MCL_OD) - This workshop covers Kubeflow on AWS v1.6 architecture and is using one-click solution that is now provided in AWS Kubeflow distribution to automate end to end deployment of Amazon EKS and Kubeflow.
 The workshop has further used this automated setup to demonstrate how Amazon Sagemaker could be leveraged from Kubeflow Pipelines using latest SageMaker components that now supports SageMaker ACK Operators to run PyTorch based distributed model training.
 
-1. [AWS Virtual Workshop "Distributed Training using PyTorch with Kubeflow on AWS and AWS DLC"](http://youtu.be/qctwfYZKK8M) - Demonstrates how Kubeflow on AWS integration with AWS Deep Learning Containers and Amazon Elastic File System (Amazon EFS) allows building and training PyTorch based deep learning models on both Amazon SageMaker and Amazon Elastic Kubernetes Service (EKS) with flexibility and scale in a hybrid architecture. Attended by over 50 customers. Aug 23rd, 2022
+2. [AWS Virtual Workshop "Distributed Training using PyTorch with Kubeflow on AWS and AWS DLC"](http://youtu.be/qctwfYZKK8M) - Demonstrates how Kubeflow on AWS integration with AWS Deep Learning Containers and Amazon Elastic File System (Amazon EFS) allows building and training PyTorch based deep learning models on both Amazon SageMaker and Amazon Elastic Kubernetes Service (EKS) with flexibility and scale in a hybrid architecture. Attended by over 50 customers. Aug 23rd, 2022
 
-1. [re:Inforce Session "Hybrid distributed training architecture using Kubeflow and SageMaker"](https://youtu.be/jFp4g8Yjabc) - Attended by over 900 customers. July 27, 2022
+3. [re:Inforce Session "Hybrid distributed training architecture using Kubeflow and SageMaker"](https://youtu.be/jFp4g8Yjabc) - Attended by over 900 customers. July 27, 2022
 
-1. [Live at re:Mars Session "Deploy and scale your ML workflow on Kubernetes with Kubeflow on AWS"](https://www.linkedin.com/video/live/urn:li:ugcPost:6945501585447804929/). You will be prompted to log into LinkedIn. July, 2022
+4. [Live at re:Mars Session "Deploy and scale your ML workflow on Kubernetes with Kubeflow on AWS"](https://www.linkedin.com/video/live/urn:li:ugcPost:6945501585447804929/). You will be prompted to log into LinkedIn. July, 2022
 
 1. [re:Mars Session “AWS Distribution of Kubeflow supporting Kubeflow v1.4”](https://www.youtube.com/watch?v=RfJcDhZ8PJY&list=PL2yQDdvlhXf8cfiry7ngFIK7hprDWGJp0&index=7) - Kubeflow on AWS value proposition and demo. July 8, 2022.