diff --git a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/init.yml b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/init.yml
index 8321c86..f01c1fe 100644
--- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/init.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/init.yml
@@ -23,7 +23,7 @@
     content: "{{ vapp['metacluster.password'] }}"
   no_log: true
 
-- name: Generate root CA
+- name: Generate step-ca helm chart values (including root CA certificate)
   ansible.builtin.shell:
     cmd: >-
       step ca init \
diff --git a/ansible/roles/firstboot/files/ansible_payload/upgrade/roles/metacluster/tasks/certauthority.yml b/ansible/roles/firstboot/files/ansible_payload/upgrade/roles/metacluster/tasks/certauthority.yml
new file mode 100644
index 0000000..03812da
--- /dev/null
+++ b/ansible/roles/firstboot/files/ansible_payload/upgrade/roles/metacluster/tasks/certauthority.yml
@@ -0,0 +1,52 @@
+- block:
+
+    - name: Initialize tempfile
+      ansible.builtin.tempfile:
+        state: file
+      register: values_file
+
+    - name: Lookup current chart values
+      kubernetes.core.helm_info:
+        name: step-certificates
+        namespace: step-ca
+        kubeconfig: "{{ kubeconfig.path }}"
+      register: stepca_values
+
+    - name: Write chart values w/ password to tempfile
+      ansible.builtin.copy:
+        dest: "{{ values_file.path }}"
+        content: "{{ stepca_values.status | json_query('values') | to_yaml }}"
+      no_log: true
+
+    - name: Upgrade step-ca chart
+      kubernetes.core.helm:
+        name: step-certificates
+        chart_ref: /opt/metacluster/helm-charts/step-certificates
+        release_namespace: step-ca
+        wait: false
+        kubeconfig: "{{ kubeconfig.path }}"
+        values_files:
+          - "{{ values_file.path }}"
+
+    - name: Cleanup tempfile
+      ansible.builtin.file:
+        path: "{{ values_file.path }}"
+        state: absent
+      when: values_file.path is defined
+
+    - name: Ensure step-ca API availability
+      ansible.builtin.uri:
+        url: https://ca.{{ vapp['metacluster.fqdn'] }}/health
+        method: GET
+      register: api_readycheck
+      until:
+        - api_readycheck.json.status is defined
+        - api_readycheck.json.status == 'ok'
+      retries: "{{ playbook.retries }}"
+      delay: "{{ playbook.delay.long }}"
+
+  module_defaults:
+    ansible.builtin.uri:
+      validate_certs: no
+      status_code: [200, 201]
+      body_format: json
diff --git a/ansible/roles/firstboot/files/ansible_payload/upgrade/roles/metacluster/tasks/git.yml b/ansible/roles/firstboot/files/ansible_payload/upgrade/roles/metacluster/tasks/git.yml
new file mode 100644
index 0000000..6f1ff8a
--- /dev/null
+++ b/ansible/roles/firstboot/files/ansible_payload/upgrade/roles/metacluster/tasks/git.yml
@@ -0,0 +1,27 @@
+- block:
+
+    - name: Upgrade gitea chart
+      kubernetes.core.helm:
+        name: gitea
+        chart_ref: /opt/metacluster/helm-charts/gitea
+        release_namespace: gitea
+        wait: false
+        kubeconfig: "{{ kubeconfig.path }}"
+        values: "{{ components.gitea.chart_values }}"
+
+    - name: Ensure gitea API availability
+      ansible.builtin.uri:
+        url: https://git.{{ vapp['metacluster.fqdn'] }}/api/healthz
+        method: GET
+      register: api_readycheck
+      until:
+        - api_readycheck.json.status is defined
+        - api_readycheck.json.status == 'pass'
+      retries: "{{ playbook.retries }}"
+      delay: "{{ playbook.delay.long }}"
+
+  module_defaults:
+    ansible.builtin.uri:
+      validate_certs: no
+      status_code: [200, 201]
+      body_format: json
diff --git a/ansible/roles/firstboot/files/ansible_payload/upgrade/roles/metacluster/tasks/gitops.yml b/ansible/roles/firstboot/files/ansible_payload/upgrade/roles/metacluster/tasks/gitops.yml
new file mode 100644
index 0000000..77e99d1
--- /dev/null
+++ b/ansible/roles/firstboot/files/ansible_payload/upgrade/roles/metacluster/tasks/gitops.yml
@@ -0,0 +1,26 @@
+- block:
+
+    - name: Upgrade argo-cd chart
+      kubernetes.core.helm:
+        name: argo-cd
+        chart_ref: /opt/metacluster/helm-charts/argo-cd
+        release_namespace: argo-cd
+        wait: false
+        kubeconfig: "{{ kubeconfig.path }}"
+        values: "{{ components.argocd.chart_values }}"
+
+    - name: Ensure argo-cd API availability
+      ansible.builtin.uri:
+        url: https://gitops.{{ vapp['metacluster.fqdn'] }}/api/version
+        method: GET
+      register: api_readycheck
+      until:
+        - api_readycheck.json.Version is defined
+      retries: "{{ playbook.retries }}"
+      delay: "{{ playbook.delay.long }}"
+
+  module_defaults:
+    ansible.builtin.uri:
+      validate_certs: no
+      status_code: [200, 201]
+      body_format: json
diff --git a/ansible/roles/firstboot/files/ansible_payload/upgrade/roles/metacluster/tasks/main.yml b/ansible/roles/firstboot/files/ansible_payload/upgrade/roles/metacluster/tasks/main.yml
index 3efeca2..2c82dfc 100644
--- a/ansible/roles/firstboot/files/ansible_payload/upgrade/roles/metacluster/tasks/main.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/upgrade/roles/metacluster/tasks/main.yml
@@ -3,9 +3,7 @@
 - import_tasks: k3s.yml
 - import_tasks: assets.yml
 - import_tasks: storage.yml
-
-# - import_tasks: charts.yml
 - import_tasks: registry.yml
-# - import_tasks: certauthority.yml
-# - import_tasks: git.yml
-# - import_tasks: gitops.yml
+- import_tasks: certauthority.yml
+- import_tasks: git.yml
+- import_tasks: gitops.yml
diff --git a/ansible/roles/firstboot/files/ansible_payload/upgrade/roles/metacluster/tasks/registry.yml b/ansible/roles/firstboot/files/ansible_payload/upgrade/roles/metacluster/tasks/registry.yml
index f23af6e..b0db1a5 100644
--- a/ansible/roles/firstboot/files/ansible_payload/upgrade/roles/metacluster/tasks/registry.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/upgrade/roles/metacluster/tasks/registry.yml
@@ -5,7 +5,6 @@
         name: harbor
         chart_ref: /opt/metacluster/helm-charts/harbor
         release_namespace: harbor
-        create_namespace: true
         wait: false
         kubeconfig: "{{ kubeconfig.path }}"
         values: "{{ components.harbor.chart_values }}"
diff --git a/ansible/roles/firstboot/files/ansible_payload/upgrade/roles/metacluster/tasks/storage.yml b/ansible/roles/firstboot/files/ansible_payload/upgrade/roles/metacluster/tasks/storage.yml
index 70c99a9..2d89010 100644
--- a/ansible/roles/firstboot/files/ansible_payload/upgrade/roles/metacluster/tasks/storage.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/upgrade/roles/metacluster/tasks/storage.yml
@@ -32,7 +32,6 @@
         name: longhorn
         chart_ref: /opt/metacluster/helm-charts/longhorn
         release_namespace: longhorn-system
-        create_namespace: true
         wait: false
         kubeconfig: "{{ kubeconfig.path }}"
         values: "{{ components.longhorn.chart_values }}"