diff --git a/charts/coco-supported/kbs-access/insecure-policy.rego b/charts/coco-supported/kbs-access/insecure-policy.rego
new file mode 100644
index 00000000..b82a0e93
--- /dev/null
+++ b/charts/coco-supported/kbs-access/insecure-policy.rego
@@ -0,0 +1,38 @@
+package agent_policy
+
+default AddARPNeighborsRequest := true
+default AddSwapRequest := true
+default CloseStdinRequest := true
+default CopyFileRequest := true
+default CreateContainerRequest := true
+default CreateSandboxRequest := true
+default DestroySandboxRequest := true
+default ExecProcessRequest := true
+default GetMetricsRequest := true
+default GetOOMEventRequest := true
+default GuestDetailsRequest := true
+default ListInterfacesRequest := true
+default ListRoutesRequest := true
+default MemHotplugByProbeRequest := true
+default OnlineCPUMemRequest := true
+default PauseContainerRequest := true
+default PullImageRequest := true
+default ReadStreamRequest := true
+default RemoveContainerRequest := true
+default RemoveStaleVirtiofsShareMountsRequest := true
+default ReseedRandomDevRequest := true
+default ResumeContainerRequest := true
+default SetGuestDateTimeRequest := true
+default SetPolicyRequest := true
+default SignalProcessRequest := true
+default StartContainerRequest := true
+default StartTracingRequest := true
+default StatsContainerRequest := true
+default StopTracingRequest := true
+default TtyWinResizeRequest := true
+default UpdateContainerRequest := true
+default UpdateEphemeralMountsRequest := true
+default UpdateInterfaceRequest := true
+default UpdateRoutesRequest := true
+default WaitProcessRequest := true
+default WriteStreamRequest := true
\ No newline at end of file
diff --git a/charts/coco-supported/kbs-access/sealed-secret.json b/charts/coco-supported/kbs-access/sealed-secret.json
new file mode 100644
index 00000000..4b5dcb6c
--- /dev/null
+++ b/charts/coco-supported/kbs-access/sealed-secret.json
@@ -0,0 +1,8 @@
+{
+    "version": "0.1.0",
+    "type": "vault",
+    "name": "kbs:///default/kbsres1/key3",
+    "provider": "kbs",
+    "provider_settings": {},
+    "annotations": {}
+}
\ No newline at end of file
diff --git a/charts/coco-supported/kbs-access/templates/environment.yaml b/charts/coco-supported/kbs-access/templates/curl-location-cm.yaml
similarity index 83%
rename from charts/coco-supported/kbs-access/templates/environment.yaml
rename to charts/coco-supported/kbs-access/templates/curl-location-cm.yaml
index 3f5bc49e..93733e27 100644
--- a/charts/coco-supported/kbs-access/templates/environment.yaml
+++ b/charts/coco-supported/kbs-access/templates/curl-location-cm.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: kbsref
+  name: kbsref-curl
   namespace: kbs-access
 data:
   FILEPATH: "/output/kbsres1.txt"
\ No newline at end of file
diff --git a/charts/coco-supported/kbs-access/templates/secure-pod.yaml b/charts/coco-supported/kbs-access/templates/curl-pod.yaml
similarity index 70%
rename from charts/coco-supported/kbs-access/templates/secure-pod.yaml
rename to charts/coco-supported/kbs-access/templates/curl-pod.yaml
index f8f32fd7..62bf20ee 100644
--- a/charts/coco-supported/kbs-access/templates/secure-pod.yaml
+++ b/charts/coco-supported/kbs-access/templates/curl-pod.yaml
@@ -1,9 +1,9 @@
 apiVersion: v1
 kind: Pod
 metadata:
-  name: secure
+  name: curl
   labels:
-    app: secure
+    app: curl
   annotations:
     peerpods: "true"
 spec:
@@ -18,7 +18,7 @@ spec:
         mountPath: /output
       envFrom:
       - configMapRef:
-          name: kbsref
+          name: kbsref-curl
   initContainers:
   - name: curl
     image: registry.redhat.io/ubi9/ubi:latest # Lightweight image with curl installed
@@ -26,12 +26,6 @@ spec:
     volumeMounts:
     - name: output-volume
       mountPath: /output
-  # - name: hi
-  #   image: registry.redhat.io/ubi9/ubi:latest # Lightweight image with curl installed
-  #   command: ['sh', '-c', 'echo "hi" > /output/kbsres1.txt']
-  #   volumeMounts:
-  #   - name: output-volume
-  #     mountPath: /output
   volumes:
   - name: output-volume
     emptyDir: {}
diff --git a/charts/coco-supported/kbs-access/templates/secure-route.yaml b/charts/coco-supported/kbs-access/templates/curl-route.yaml
similarity index 82%
rename from charts/coco-supported/kbs-access/templates/secure-route.yaml
rename to charts/coco-supported/kbs-access/templates/curl-route.yaml
index dba755f2..56ca71f8 100644
--- a/charts/coco-supported/kbs-access/templates/secure-route.yaml
+++ b/charts/coco-supported/kbs-access/templates/curl-route.yaml
@@ -1,12 +1,12 @@
 apiVersion: route.openshift.io/v1
 kind: Route
 metadata:
-  name: secure
+  name: curl
 spec:
   port:
     targetPort: 5000
   to:
     kind: Service
-    name: secure
+    name: curl
     weight: 100
   wildcardPolicy: None
diff --git a/charts/coco-supported/kbs-access/templates/secure-svc.yaml b/charts/coco-supported/kbs-access/templates/curl-svc.yaml
similarity index 85%
rename from charts/coco-supported/kbs-access/templates/secure-svc.yaml
rename to charts/coco-supported/kbs-access/templates/curl-svc.yaml
index 618f2f41..aed64668 100644
--- a/charts/coco-supported/kbs-access/templates/secure-svc.yaml
+++ b/charts/coco-supported/kbs-access/templates/curl-svc.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: secure
+  name: curl
 spec:
   ports:
   - name: 5000-tcp
@@ -9,6 +9,6 @@ spec:
     protocol: TCP
     targetPort: 5000
   selector:
-    app: secure
+    app: curl
   sessionAffinity: None
   type: ClusterIP
diff --git a/charts/coco-supported/kbs-access/templates/sealed-location-cm.yaml b/charts/coco-supported/kbs-access/templates/sealed-location-cm.yaml
new file mode 100644
index 00000000..1a50e427
--- /dev/null
+++ b/charts/coco-supported/kbs-access/templates/sealed-location-cm.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kbsref-sealed
+  namespace: kbs-access
+data:
+  FILEPATH: "/sealed/myvalue"
\ No newline at end of file
diff --git a/charts/coco-supported/kbs-access/templates/sealed-pod.yaml b/charts/coco-supported/kbs-access/templates/sealed-pod.yaml
new file mode 100644
index 00000000..416c1e89
--- /dev/null
+++ b/charts/coco-supported/kbs-access/templates/sealed-pod.yaml
@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: sealed
+  labels:
+    app: sealed
+  annotations:
+    peerpods: "true"
+    io.katacontainers.config.agent.policy: '{{ tpl ( .Files.Get "insecure-policy.rego") . | b64enc }}'
+spec:
+  runtimeClassName: kata-remote
+  containers:
+    - name: python-access
+      image: ghcr.io/butler54/kbs-access-app:latest
+      ports:
+        - containerPort: 5000
+      envFrom:
+      - configMapRef:
+          name: kbsref-sealed
+      volumeMounts:
+      - name: secret-volume
+        mountPath: "sealed/myvalue"
+      env:
+      - name: PROTECTED_SECRET
+        valueFrom:
+          secretKeyRef:
+            name: sealed-secret
+            key: secret
+  volumes:
+    - name: secret-volume
+      secret:
+        secretName: sealed-secret  
\ No newline at end of file
diff --git a/charts/coco-supported/kbs-access/templates/sealed-route.yaml b/charts/coco-supported/kbs-access/templates/sealed-route.yaml
new file mode 100644
index 00000000..56572b50
--- /dev/null
+++ b/charts/coco-supported/kbs-access/templates/sealed-route.yaml
@@ -0,0 +1,12 @@
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  name: sealed
+spec:
+  port:
+    targetPort: 5000
+  to:
+    kind: Service
+    name: sealed
+    weight: 100
+  wildcardPolicy: None
diff --git a/charts/coco-supported/kbs-access/templates/sealed-secret.yaml b/charts/coco-supported/kbs-access/templates/sealed-secret.yaml
new file mode 100644
index 00000000..276aaddd
--- /dev/null
+++ b/charts/coco-supported/kbs-access/templates/sealed-secret.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: sealed-secret
+
+data:
+  # Base64 encoding of install-config yaml
+  secret: "{{ printf "sealed.fakejwsheader.%s.fakesignature" (tpl ( .Files.Get "sealed-secret.json" ) . | b64enc ) | b64enc }}"
+type: Generic
\ No newline at end of file
diff --git a/charts/coco-supported/kbs-access/templates/sealed-service.yaml b/charts/coco-supported/kbs-access/templates/sealed-service.yaml
new file mode 100644
index 00000000..ab9d0d48
--- /dev/null
+++ b/charts/coco-supported/kbs-access/templates/sealed-service.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: sealed
+spec:
+  ports:
+  - name: 5000-tcp
+    port: 5000
+    protocol: TCP
+    targetPort: 5000
+  selector:
+    app: sealed
+  sessionAffinity: None
+  type: ClusterIP
diff --git a/rhdp/wrapper.sh b/rhdp/wrapper.sh
old mode 100644
new mode 100755
index 0df76df7..4304157b
--- a/rhdp/wrapper.sh
+++ b/rhdp/wrapper.sh
@@ -66,7 +66,7 @@ fi
 echo "---------------------"
 echo "defining cluster"
 echo "---------------------"
-python3 rhdp/rhdp-cluster-define.py ${AZUREREGION}
+python rhdp/rhdp-cluster-define.py ${AZUREREGION}
 echo "---------------------"
 echo "cluster defined"
 echo "---------------------"
diff --git a/values-simple.yaml b/values-simple.yaml
index f25bc61f..86a54035 100644
--- a/values-simple.yaml
+++ b/values-simple.yaml
@@ -95,7 +95,7 @@ clusterGroup:
       # Default to 'safe' for ARO
       overrides:
       - name: letsencrypt.enabled
-        value: false
+        value: true
     hello-openshift:
       name: hello-openshift
       namespace: hello-openshift