diff --git a/examples/full-cluster-tf-upgrade/1.25/common-services/main.tf b/examples/full-cluster-tf-upgrade/1.25/common-services/main.tf
index e31e9ae..2613f1d 100644
--- a/examples/full-cluster-tf-upgrade/1.25/common-services/main.tf
+++ b/examples/full-cluster-tf-upgrade/1.25/common-services/main.tf
@@ -69,8 +69,11 @@ resource "helm_release" "cluster-autoscaler" {
   chart      = "cluster-autoscaler"
   name       = "cluster-autoscaler"
   namespace  = "kube-system"
-  repository = "${path.module}/charts/"
+#  repository = "${path.module}/charts/"
+  repository = local.charts["cluster-autoscaler"].use_remote ? local.charts["cluster-autoscaler"].repository : "${path.module}/charts"
+  version    = local.charts["cluster-autoscaler"].use_remote ? local.charts["cluster-autoscaler"].version : null
   #  depends_on = [null_resource.copy_images]
+
   depends_on = [module.images]
   set {
     name = "image.repository"
@@ -97,6 +100,8 @@ resource "helm_release" "cluster-autoscaler" {
 }
 
 # Install cert-manager
+#   https://cert-manager.io/docs/installation/helm/
+#   https://artifacthub.io/packages/helm/cert-manager/cert-manager
 resource "helm_release" "cert-manager" {
   chart      = "cert-manager"
   name       = "cert-manager"
@@ -148,8 +153,21 @@ resource "helm_release" "cert-manager" {
     #    value = var.cert_manager_webhook_tag
     value = local.image_output["cert-manager-webhook"].tag
   }
+#  set {
+#    name = "startupapicheck.enabled"
+#    value = "false"
+#  }
+  set {
+    name = "startupapicheck.image.repository"
+    value = split(":", local.image_output["cert-manager-ctl"].dest_full_path)[0]
+  }
+  set {
+    name = "startupapicheck.image.tag"
+    value = local.image_output["cert-manager-ctl"].tag
+  }
 
-  timeout = 180
+#  timeout = 180
+  timeout = 600
 }
 
 # cert-manager reports ready before the cert-manager-webhook pod
@@ -182,9 +200,9 @@ locals {
     base64encode(local.vault_ca_bundle_pem)
   : var.vault_ca_bundle_pem_b64)
 
-  vault_ca = ! local.intermediate_ca && length(var.vault_url) > 0
+  vault_ca = !local.intermediate_ca && length(var.vault_url) > 0
 
-  self_signed_ca = ! local.intermediate_ca && ! local.vault_ca
+  self_signed_ca = !local.intermediate_ca && !local.vault_ca
 
   defined_ca = (local.self_signed_ca ? 1 : 0) + (local.intermediate_ca ? 1 : 0) + (local.vault_ca ? 1 : 0)
 }
@@ -308,9 +326,9 @@ resource "helm_release" "istio-operator" {
   depends_on = [helm_release.cert-manager]
 
   set {
-    name = "hub"
-    #    value = format("%v/%v", local.account_ecr, "istio")
-    value = format("%v/eks/%v/%v", local.image_output["istio"].dest_registry, var.cluster_name, "istio")
+    name  = "hub"
+#    value = format("%v/%v", local.account_ecr, "istio")
+    value = format("%v/eks/%v/%v", local.image_output["istio-operator"].dest_registry, var.cluster_name, "istio")
   }
   set {
     name = "tag"
@@ -348,7 +366,7 @@ resource "helm_release" "istio-profile" {
   set {
     name = "hub"
     #    value = format("%v/%v", local.account_ecr, "istio")
-    value = format("%v/eks/%v/%v", local.image_output["istio"].dest_registry, var.cluster_name, "istio")
+    value = format("%v/eks/%v/%v", local.image_output["istio-operator"].dest_registry, var.cluster_name, "istio")
   }
   set {
     name  = "tag"
diff --git a/examples/full-cluster-tf-upgrade/1.25/common-services/variables.images.auto.tfvars b/examples/full-cluster-tf-upgrade/1.25/common-services/variables.images.auto.tfvars
index 8991054..ec4c2be 100644
--- a/examples/full-cluster-tf-upgrade/1.25/common-services/variables.images.auto.tfvars
+++ b/examples/full-cluster-tf-upgrade/1.25/common-services/variables.images.auto.tfvars
@@ -2,7 +2,7 @@ chart_details = {
   "cert-manager" = {
     name       = "cert-manager"
     repository = "https://charts.jetstack.io"
-    version    = "v1.12.2"
+    version    = "v1.12.3"
     use_remote = true
   }
   "metrics-server" = {
@@ -11,6 +11,12 @@ chart_details = {
     version    = "6.2.6"
     use_remote = true
   }
+  "cluster-autoscaler" = {
+    name       = "cluster-autoscaler"
+    repository = "https://kubernetes.github.io/autoscaler"
+    version    = "9.29.1"
+    use_remote = true
+  }
 }
 
 image_details = {
@@ -21,7 +27,7 @@ image_details = {
     source_registry = "quay.io"
     source_image    = "jetstack/cert-manager-controller"
     source_tag      = null
-    tag             = "v1.12.2"
+    tag             = "v1.12.3"
     enabled         = true
   }
   "cert-manager-cainjector" = {
@@ -31,7 +37,7 @@ image_details = {
     source_registry = "quay.io"
     source_image    = "jetstack/cert-manager-cainjector"
     source_tag      = null
-    tag             = "v1.12.2"
+    tag             = "v1.12.3"
     enabled         = true
   }
   "cert-manager-webhook" = {
@@ -41,7 +47,17 @@ image_details = {
     source_registry = "quay.io"
     source_image    = "jetstack/cert-manager-webhook"
     source_tag      = null
-    tag             = "v1.12.2"
+    tag             = "v1.12.3"
+    enabled         = true
+  }
+  "cert-manager-ctl" = {
+    name            = "cert-manager-ctl"
+    image           = "quay.io/jetstack/cert-manager-ctl"
+    dest_path       = null
+    source_registry = "quay.io"
+    source_image    = "jetstack/cert-manager-ctl"
+    source_tag      = null
+    tag             = "v1.12.3"
     enabled         = true
   }
   "cluster-autoscaler" = {
@@ -51,7 +67,7 @@ image_details = {
     source_registry = "registry.k8s.io"
     source_image    = "autoscaling/cluster-autoscaler"
     source_tag      = null
-    tag             = "v1.24.0"
+    tag             = "v1.25.3"
     enabled         = true
   }
   "metrics-server" = {
@@ -65,7 +81,7 @@ image_details = {
     enabled         = true
   }
   "istio-operator" = {
-    name            = "istio/operator"
+    name            = "istio-operator"
     image           = "docker.io/istio/operator"
     dest_path       = null
     source_registry = "docker.io"
@@ -75,7 +91,7 @@ image_details = {
     enabled         = true
   }
   "istio-pilot" = {
-    name            = "istio/pilot"
+    name            = "istio-pilot"
     image           = "docker.io/istio/pilot"
     dest_path       = null
     source_registry = "docker.io"
@@ -85,7 +101,7 @@ image_details = {
     enabled         = true
   }
   "istio-proxyv2" = {
-    name            = "istio/proxyv2"
+    name            = "istio-proxyv2"
     image           = "docker.io/istio/proxyv2"
     dest_path       = null
     source_registry = "docker.io"
@@ -109,19 +125,19 @@ image_details = {
     image           = "docker.io/bitnami/prometheus"
     dest_path       = null
     source_registry = "docker.io"
-    source_image    = "bitnami/prometheus"
+    source_image     = "bitnami/prometheus"
     source_tag      = null
     tag             = "2.28.1"
     enabled         = true
   }
   "alertmanager" = {
-    name            = "alertmanager"
-    image           = "docker.io/bitnami/alertmanager"
-    dest_path       = null
+    name           = "alertmanager"
+    image          = "docker.io/bitnami/alertmanager"
+    dest_path      = null
     source_registry = "docker.io"
     source_image    = "bitnami/alertmanager"
-    source_tag      = null
-    tag             = "0.22.2"
-    enabled         = true
+    source_tag     = null
+    tag            = "0.22.2"
+    enabled        = true
   }
 }
diff --git a/examples/full-cluster-tf-upgrade/1.25/securitygroup.tf b/examples/full-cluster-tf-upgrade/1.25/securitygroup.tf
index a2e3baa..f06a43e 100644
--- a/examples/full-cluster-tf-upgrade/1.25/securitygroup.tf
+++ b/examples/full-cluster-tf-upgrade/1.25/securitygroup.tf
@@ -144,6 +144,14 @@ resource "aws_security_group" "extra_cluster_sg" {
     cidr_blocks = concat(var.census_private_cidr, ["10.0.0.0/8"])
   }
 
+# kubectl logs
+  ingress {
+    from_port   = 10250
+    to_port     = 10250
+    protocol    = "tcp"
+    cidr_blocks = concat(var.census_private_cidr, ["10.0.0.0/8"])
+  }
+
   egress {
     from_port   = 0
     to_port     = 0