diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 953f875..dc4f1f7 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -67,3 +67,25 @@ jobs:
         with:
           name: artifacts-import
           path: _out/gather
+  test-e2e-import-rke2:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install just
+        uses: extractions/setup-just@v2
+      - name: Install kind
+        uses: helm/kind-action@v1
+        with:
+          install_only: true
+          version: v0.26.0
+      - uses: actions/checkout@v4
+      - name: Test
+        run: just test-import-rke2
+      - name: Collect artifacts
+        if: always()
+        run: just collect-test-import
+      - name: Store run artifacts
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: artifacts-import-rke2
+          path: _out/gather
diff --git a/Cargo.lock b/Cargo.lock
index 53e55df..747cf94 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1,6 +1,6 @@
 # This file is automatically @generated by Cargo.
 # It is not intended for manual editing.
-version = 3
+version = 4
 
 [[package]]
 name = "actix-codec"
@@ -239,9 +239,9 @@ dependencies = [
 
 [[package]]
 name = "allocator-api2"
-version = "0.2.20"
+version = "0.2.21"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "45862d1c77f2228b9e10bc609d5bc203d86ebc9b87ad8d5d5167a6c9abf739d9"
+checksum = "683d7910e743518b0e34f1186f92494becacb047c7b6bf616c96772180fef923"
 
 [[package]]
 name = "android-tzdata"
@@ -299,19 +299,20 @@ dependencies = [
 
 [[package]]
 name = "anstyle-wincon"
-version = "3.0.6"
+version = "3.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2109dbce0e72be3ec00bed26e6a7479ca384ad226efdd66db8fa2e3a38c83125"
+checksum = "ca3534e77181a9cc07539ad51f2141fe32f6c3ffd4df76db8ad92346b003ae4e"
 dependencies = [
  "anstyle",
+ "once_cell",
  "windows-sys 0.59.0",
 ]
 
 [[package]]
 name = "anyhow"
-version = "1.0.96"
+version = "1.0.97"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6b964d184e89d9b6b67dd2715bc8e74cf3107fb2b529990c90cf517326150bf4"
+checksum = "dcfed56ad506cb2c684a14971b8861fdc3baaaae314b9e5f9bb532cbe3ba7a4f"
 
 [[package]]
 name = "assert-json-diff"
@@ -325,9 +326,9 @@ dependencies = [
 
 [[package]]
 name = "async-broadcast"
-version = "0.7.1"
+version = "0.7.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "20cd0e2e25ea8e5f7e9df04578dc6cf5c83577fd09b1a46aaf5c85e1c33f2a7e"
+checksum = "435a87a52755b8f27fcf321ac4f04b2802e337c8c4872923137471ec39c37532"
 dependencies = [
  "event-listener",
  "event-listener-strategy",
@@ -359,9 +360,9 @@ dependencies = [
 
 [[package]]
 name = "async-trait"
-version = "0.1.83"
+version = "0.1.87"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "721cae7de5c34fbb2acd27e21e6d2cf7b886dce0c27388d46c4e6c47ea4318dd"
+checksum = "d556ec1359574147ec0c4fc5eb525f3f23263a592b1a9c07e0a75b427de55c97"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -401,8 +402,8 @@ dependencies = [
  "pin-project-lite",
  "rustversion",
  "serde",
- "sync_wrapper 1.0.2",
- "tower 0.5.1",
+ "sync_wrapper",
+ "tower 0.5.2",
  "tower-layer",
  "tower-service",
 ]
@@ -422,7 +423,7 @@ dependencies = [
  "mime",
  "pin-project-lite",
  "rustversion",
- "sync_wrapper 1.0.2",
+ "sync_wrapper",
  "tower-layer",
  "tower-service",
 ]
@@ -467,9 +468,9 @@ checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6"
 
 [[package]]
 name = "bitflags"
-version = "2.6.0"
+version = "2.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de"
+checksum = "5c8214115b7bf84099f1309324e63141d4c5d7cc26862f97a0a857dbefe165bd"
 
 [[package]]
 name = "block-buffer"
@@ -493,9 +494,9 @@ dependencies = [
 
 [[package]]
 name = "brotli-decompressor"
-version = "4.0.1"
+version = "4.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9a45bd2e4095a8b518033b128020dd4a55aab1c0a381ba4404a472630f4bc362"
+checksum = "74fa05ad7d803d413eb8380983b092cbbaf9a85f151b871360e7b00cd7060b37"
 dependencies = [
  "alloc-no-stdlib",
  "alloc-stdlib",
@@ -503,9 +504,9 @@ dependencies = [
 
 [[package]]
 name = "bumpalo"
-version = "3.16.0"
+version = "3.17.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "79296716171880943b8470b5f8d03aa55eb2e645a4874bdbb28adb49162e012c"
+checksum = "1628fb46dfa0b37568d12e5edd512553eccf6a22a78e8bde00bb4aed84d5bdbf"
 
 [[package]]
 name = "byteorder"
@@ -515,9 +516,9 @@ checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b"
 
 [[package]]
 name = "bytes"
-version = "1.8.0"
+version = "1.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9ac0150caa2ae65ca5bd83f25c7de183dea78d4d366469f148435e2acfbad0da"
+checksum = "f61dac84819c6588b558454b194026eb1f09c293b9036ae9b159e74e73ab6cf9"
 
 [[package]]
 name = "bytestring"
@@ -530,9 +531,9 @@ dependencies = [
 
 [[package]]
 name = "cc"
-version = "1.2.1"
+version = "1.2.16"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fd9de9f2205d5ef3fd67e685b0df337994ddd4495e2a28d185500d0e1edfea47"
+checksum = "be714c154be609ec7f5dad223a33bf1482fff90472de28f7362806e6d4832b8c"
 dependencies = [
  "jobserver",
  "libc",
@@ -562,9 +563,9 @@ dependencies = [
 
 [[package]]
 name = "clap"
-version = "4.5.30"
+version = "4.5.31"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "92b7b18d71fad5313a1e320fa9897994228ce274b60faa4d694fe0ea89cd9e6d"
+checksum = "027bb0d98429ae334a8698531da7077bdf906419543a35a55c2cb1b66437d767"
 dependencies = [
  "clap_builder",
  "clap_derive",
@@ -572,9 +573,9 @@ dependencies = [
 
 [[package]]
 name = "clap_builder"
-version = "4.5.30"
+version = "4.5.31"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a35db2071778a7344791a4fb4f95308b5673d219dee3ae348b86642574ecc90c"
+checksum = "5589e0cba072e0f3d23791efac0fd8627b49c829c196a492e88168e6a669d863"
 dependencies = [
  "anstream",
  "anstyle",
@@ -607,6 +608,8 @@ dependencies = [
  "actix-web",
  "anyhow",
  "assert-json-diff",
+ "async-broadcast",
+ "async-stream",
  "base64 0.22.1",
  "chrono",
  "clap",
@@ -620,6 +623,7 @@ dependencies = [
  "opentelemetry 0.27.1",
  "opentelemetry-otlp",
  "opentelemetry_sdk 0.28.0",
+ "pin-project",
  "prometheus",
  "rand 0.9.0",
  "schemars",
@@ -627,7 +631,7 @@ dependencies = [
  "serde_json",
  "serde_with",
  "serde_yaml",
- "thiserror 2.0.11",
+ "thiserror 2.0.12",
  "tokio",
  "tonic",
  "tower-test",
@@ -709,9 +713,9 @@ checksum = "773648b94d0e5d620f64f280777445740e61fe701025087ec8b57f45c791888b"
 
 [[package]]
 name = "cpufeatures"
-version = "0.2.16"
+version = "0.2.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "16b80225097f2e5ae4e7179dd2266824648f3e2f49d9134d584b76389d31c4c3"
+checksum = "59ed5838eebb26a2bb2e58f6d5b5316989ae9d08bab10e0e6d103e656d1b0280"
 dependencies = [
  "libc",
 ]
@@ -727,9 +731,9 @@ dependencies = [
 
 [[package]]
 name = "crossbeam-utils"
-version = "0.8.20"
+version = "0.8.21"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "22ec99545bb0ed0ea7bb9b8e1e9122ea386ff8a48c0922e43f36d45ab09e0e80"
+checksum = "d0a5c400df2834b80a4c3327b3aad3a4c4cd4de0629063962b03235697506a28"
 
 [[package]]
 name = "crypto-common"
@@ -788,9 +792,9 @@ dependencies = [
 
 [[package]]
 name = "derive_more"
-version = "0.99.18"
+version = "0.99.19"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5f33878137e4dafd7fa914ad4e259e18a4e8e532b9617a2d0150262bf53abfce"
+checksum = "3da29a38df43d6f156149c9b43ded5e018ddff2a855cf2cfd62e8cd7d079c69f"
 dependencies = [
  "convert_case",
  "proc-macro2",
@@ -822,9 +826,9 @@ dependencies = [
 
 [[package]]
 name = "dyn-clone"
-version = "1.0.17"
+version = "1.0.19"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0d6ef0072f8a535281e4876be788938b528e9a1d43900b82c2569af7da799125"
+checksum = "1c7a8fb8a9fbf66c1f703fe16184d10ca0ee9d23be5b4436400408ba54a95005"
 
 [[package]]
 name = "educe"
@@ -840,9 +844,9 @@ dependencies = [
 
 [[package]]
 name = "either"
-version = "1.13.0"
+version = "1.14.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "60b1af1c220855b6ceac025d3f6ecdd2b7c4894bfe9cd9bda4fbb4bc7c0d4cf0"
+checksum = "b7914353092ddf589ad78f25c5c1c21b7f80b0ff8621e7c814c3485b5306da9d"
 
 [[package]]
 name = "encoding_rs"
@@ -875,15 +879,15 @@ dependencies = [
 
 [[package]]
 name = "equivalent"
-version = "1.0.1"
+version = "1.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5443807d6dff69373d433ab9ef5378ad8df50ca6298caf15de6e52e24aaf54d5"
+checksum = "877a4ace8713b0bcf2a4e7eec82529c029f1d0619886d18145fea96c3ffe5c0f"
 
 [[package]]
 name = "event-listener"
-version = "5.3.1"
+version = "5.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6032be9bd27023a771701cc49f9f053c751055f71efb2e0ae5c15809093675ba"
+checksum = "3492acde4c3fc54c845eaab3eed8bd00c7a7d881f78bfc801e43a93dec1331ae"
 dependencies = [
  "concurrent-queue",
  "parking",
@@ -892,9 +896,9 @@ dependencies = [
 
 [[package]]
 name = "event-listener-strategy"
-version = "0.5.2"
+version = "0.5.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0f214dc438f977e6d4e3500aaa277f5ad94ca83fbbd9b1a15713ce2344ccc5a1"
+checksum = "3c3e4e0dd3673c1139bf041f3008816d9cf2946bbfac2945c09e523b8d7b05b2"
 dependencies = [
  "event-listener",
  "pin-project-lite",
@@ -902,9 +906,9 @@ dependencies = [
 
 [[package]]
 name = "flate2"
-version = "1.0.35"
+version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c936bfdafb507ebbf50b8074c54fa31c5be9a1e7e5f467dd659697041407d07c"
+checksum = "11faaf5a5236997af9848be0bef4db95824b1d534ebc64d0f0c6cf3e67bd38dc"
 dependencies = [
  "crc32fast",
  "miniz_oxide",
@@ -912,9 +916,9 @@ dependencies = [
 
 [[package]]
 name = "fleet-api-rs"
-version = "0.11.4"
+version = "0.11.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8b1985c80d4aee1c481314157c009338daa33eb98b5838f63f0b33d1c836bcbe"
+checksum = "680e3dd0653593a5a9433ed2a36fb149998b205139576aaf087fc06733e9880f"
 dependencies = [
  "k8s-openapi",
  "kube",
@@ -931,9 +935,9 @@ checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1"
 
 [[package]]
 name = "foldhash"
-version = "0.1.3"
+version = "0.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f81ec6369c545a7d40e4589b5597581fa1c441fe1cce96dd1de43159910a36a2"
+checksum = "a0d2fde1f7b3d48b8395d5f2de76c18a528bd6a9cdde438df747bfcba3e05d6f"
 
 [[package]]
 name = "form_urlencoded"
@@ -1056,9 +1060,9 @@ dependencies = [
 
 [[package]]
 name = "getrandom"
-version = "0.3.0"
+version = "0.3.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "71393ecc86efbf00e4ca13953979ba8b94cfe549a4b74cc26d8b62f4d8feac2b"
+checksum = "43a49c392881ce6d5c3b8cb70f98717b7c07aabbdff06687b9030dbfbe2725f8"
 dependencies = [
  "cfg-if",
  "libc",
@@ -1074,9 +1078,9 @@ checksum = "07e28edb80900c19c28f1072f2e8aeca7fa06b23cd4169cefe1af5aa3260783f"
 
 [[package]]
 name = "glob"
-version = "0.3.1"
+version = "0.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d2fabcfbdc87f4758337ca535fb41a6d701b65693ce38287d856d1674551ec9b"
+checksum = "a8d1add55171497b4705a648c6b583acafb01d58050a51727785f0b2c8e0a2b2"
 
 [[package]]
 name = "h2"
@@ -1090,7 +1094,7 @@ dependencies = [
  "futures-sink",
  "futures-util",
  "http 0.2.12",
- "indexmap 2.6.0",
+ "indexmap 2.7.1",
  "slab",
  "tokio",
  "tokio-util",
@@ -1099,9 +1103,9 @@ dependencies = [
 
 [[package]]
 name = "h2"
-version = "0.4.7"
+version = "0.4.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ccae279728d634d083c00f6099cb58f01cc99c145b84b8be2f6c74618d79922e"
+checksum = "5017294ff4bb30944501348f6f8e42e6ad28f42c8bbef7a74029aff064a4e3c2"
 dependencies = [
  "atomic-waker",
  "bytes",
@@ -1109,7 +1113,7 @@ dependencies = [
  "futures-core",
  "futures-sink",
  "http 1.2.0",
- "indexmap 2.6.0",
+ "indexmap 2.7.1",
  "slab",
  "tokio",
  "tokio-util",
@@ -1163,12 +1167,6 @@ version = "0.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea"
 
-[[package]]
-name = "hermit-abi"
-version = "0.3.9"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d231dfb89cfffdbc30e7fc41579ed6066ad03abda9e567ccafae602b97ec5024"
-
 [[package]]
 name = "hex"
 version = "0.4.3"
@@ -1177,11 +1175,11 @@ checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
 
 [[package]]
 name = "home"
-version = "0.5.9"
+version = "0.5.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e3d1354bf6b7235cb4a0576c2619fd4ed18183f689b12b006a0ee7329eeff9a5"
+checksum = "589533453244b0995c858700322199b2becb13b627df2851f64a2775d024abcf"
 dependencies = [
- "windows-sys 0.52.0",
+ "windows-sys 0.59.0",
 ]
 
 [[package]]
@@ -1242,9 +1240,9 @@ dependencies = [
 
 [[package]]
 name = "httparse"
-version = "1.9.5"
+version = "1.10.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7d71d3574edd2771538b901e6549113b4006ece66150fb69c0fb6d9a2adae946"
+checksum = "6dbf3de79e51f3d586ab4cb9d5c3e2c14aa28ed23d180cf89b4df0454a69cc87"
 
 [[package]]
 name = "httpdate"
@@ -1261,7 +1259,7 @@ dependencies = [
  "bytes",
  "futures-channel",
  "futures-util",
- "h2 0.4.7",
+ "h2 0.4.8",
  "http 1.2.0",
  "http-body",
  "httparse",
@@ -1295,9 +1293,9 @@ dependencies = [
 
 [[package]]
 name = "hyper-rustls"
-version = "0.27.3"
+version = "0.27.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "08afdbb5c31130e3034af566421053ab03787c640246a446327f550d11bcb333"
+checksum = "2d191583f3da1305256f22463b9bb0471acad48a4e534a5218b9963e9c1f59b2"
 dependencies = [
  "futures-util",
  "http 1.2.0",
@@ -1514,9 +1512,9 @@ dependencies = [
 
 [[package]]
 name = "impl-more"
-version = "0.1.8"
+version = "0.1.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "aae21c3177a27788957044151cc2800043d127acaa460a47ebb9b84dfa2c6aa0"
+checksum = "e8a5a9a0ff0086c7a148acb942baaabeadf9504d10400b5a05645853729b9cd2"
 
 [[package]]
 name = "indexmap"
@@ -1531,9 +1529,9 @@ dependencies = [
 
 [[package]]
 name = "indexmap"
-version = "2.6.0"
+version = "2.7.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "707907fe3c25f5424cce2cb7e1cbcafee6bdbe735ca90ef77c29e84591e5b9da"
+checksum = "8c9c992b02b5b4c94ea26e32fe5bccb7aa7d9f390ab5c1221ff895bc7ea8b652"
 dependencies = [
  "equivalent",
  "hashbrown 0.15.2",
@@ -1563,18 +1561,18 @@ checksum = "7943c866cc5cd64cbc25b2e01621d07fa8eb2a1a23160ee81ce38704e97b8ecf"
 
 [[package]]
 name = "itertools"
-version = "0.13.0"
+version = "0.14.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "413ee7dfc52ee1a4949ceeb7dbc8a33f2d6c088194d9f922fb8318faf1f01186"
+checksum = "2b192c782037fadd9cfa75548310488aabdbf3d2da73885b31bd0abd03351285"
 dependencies = [
  "either",
 ]
 
 [[package]]
 name = "itoa"
-version = "1.0.14"
+version = "1.0.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d75a2a4b1b190afb6f5425f10f6a8f959d2ea0b9c2b1d79553551850539e4674"
+checksum = "4a5f13b858c8d314ee3e8f639011f7ccefe71f97f96e50151fb991f267928e2c"
 
 [[package]]
 name = "jobserver"
@@ -1587,10 +1585,11 @@ dependencies = [
 
 [[package]]
 name = "js-sys"
-version = "0.3.72"
+version = "0.3.77"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6a88f1bda2bd75b0452a14784937d796722fdebfe50df998aeb3f0b7603019a9"
+checksum = "1cfaf33c695fc6e08064efbc1f72ec937429614f25eef83af942d0e227c3a28f"
 dependencies = [
+ "once_cell",
  "wasm-bindgen",
 ]
 
@@ -1608,15 +1607,15 @@ dependencies = [
 
 [[package]]
 name = "jsonpath-rust"
-version = "0.7.3"
+version = "0.7.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "69a61b87f6a55cc6c28fed5739dd36b9642321ce63e4a5e4a4715d69106f4a10"
+checksum = "0c00ae348f9f8fd2d09f82a98ca381c60df9e0820d8d79fce43e649b4dc3128b"
 dependencies = [
  "pest",
  "pest_derive",
  "regex",
  "serde_json",
- "thiserror 1.0.69",
+ "thiserror 2.0.12",
 ]
 
 [[package]]
@@ -1686,10 +1685,10 @@ dependencies = [
  "serde",
  "serde_json",
  "serde_yaml",
- "thiserror 2.0.11",
+ "thiserror 2.0.12",
  "tokio",
  "tokio-util",
- "tower 0.5.1",
+ "tower 0.5.2",
  "tower-http",
  "tracing",
 ]
@@ -1709,7 +1708,7 @@ dependencies = [
  "serde",
  "serde-value",
  "serde_json",
- "thiserror 2.0.11",
+ "thiserror 2.0.12",
 ]
 
 [[package]]
@@ -1748,7 +1747,7 @@ dependencies = [
  "pin-project",
  "serde",
  "serde_json",
- "thiserror 2.0.11",
+ "thiserror 2.0.12",
  "tokio",
  "tokio-util",
  "tracing",
@@ -1768,15 +1767,15 @@ checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe"
 
 [[package]]
 name = "libc"
-version = "0.2.169"
+version = "0.2.170"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b5aba8db14291edd000dfcc4d620c7ebfb122c613afb886ca8803fa4e128a20a"
+checksum = "875b3680cb2f8f71bdcf9a30f38d48282f5d3c95cbf9b3fa57269bb5d5c06828"
 
 [[package]]
 name = "litemap"
-version = "0.7.4"
+version = "0.7.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4ee93343901ab17bd981295f2cf0026d4ad018c7c31ba84549a4ddbb47a45104"
+checksum = "23fb14cb19457329c82206317a5663005a4d404783dc74f4252769b0d5f42856"
 
 [[package]]
 name = "local-channel"
@@ -1807,9 +1806,9 @@ dependencies = [
 
 [[package]]
 name = "log"
-version = "0.4.22"
+version = "0.4.26"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a7a70ba024b9dc04c27ea2f0c0548feb474ec5c54bba33a7f72f873a39d07b24"
+checksum = "30bde2b3dc3671ae49d8e2e9f044c7c005836e7a023ee57cffa25ab82764bb9e"
 
 [[package]]
 name = "matchers"
@@ -1840,20 +1839,19 @@ checksum = "6877bb514081ee2a7ff5ef9de3281f14a4dd4bceac4c09388074a6b5df8a139a"
 
 [[package]]
 name = "miniz_oxide"
-version = "0.8.0"
+version = "0.8.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e2d80299ef12ff69b16a84bb182e3b9df68b5a91574d3d4fa6e41b65deec4df1"
+checksum = "8e3e04debbb59698c15bacbb6d93584a8c0ca9cc3213cb423d31f760d8843ce5"
 dependencies = [
  "adler2",
 ]
 
 [[package]]
 name = "mio"
-version = "1.0.2"
+version = "1.0.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "80e04d1dcff3aae0704555fe5fee3bcfaf3d1fdf8a7e521d5b9d2b42acb52cec"
+checksum = "2886843bf800fba2e3377cff24abf6379b4c4d5c6681eaf9ea5b0d15090450bd"
 dependencies = [
- "hermit-abi",
  "libc",
  "log",
  "wasi 0.11.0+wasi-snapshot-preview1",
@@ -1887,24 +1885,24 @@ dependencies = [
 
 [[package]]
 name = "object"
-version = "0.36.5"
+version = "0.36.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "aedf0a2d09c573ed1d8d85b30c119153926a2b36dce0ab28322c09a117a4683e"
+checksum = "62948e14d923ea95ea2c7c86c71013138b66525b86bdc08d2dcc262bdb497b87"
 dependencies = [
  "memchr",
 ]
 
 [[package]]
 name = "once_cell"
-version = "1.20.2"
+version = "1.20.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1261fe7e33c73b354eab43b1273a57c8f967d0391e80353e51f764ac02cf6775"
+checksum = "945462a4b81e43c4e3ba96bd7b49d834c6f61198356aa858733bc4acf3cbe62e"
 
 [[package]]
 name = "openssl-probe"
-version = "0.1.5"
+version = "0.1.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf"
+checksum = "d05e27ee213611ffe7d6348b942e8f942b37114c00cc03cec254295a4a17852e"
 
 [[package]]
 name = "opentelemetry"
@@ -1930,7 +1928,7 @@ dependencies = [
  "futures-sink",
  "js-sys",
  "pin-project-lite",
- "thiserror 2.0.11",
+ "thiserror 2.0.12",
  "tracing",
 ]
 
@@ -1963,7 +1961,7 @@ dependencies = [
  "opentelemetry_sdk 0.28.0",
  "prost",
  "reqwest",
- "thiserror 2.0.11",
+ "thiserror 2.0.12",
  "tracing",
 ]
 
@@ -2011,7 +2009,7 @@ dependencies = [
  "percent-encoding",
  "rand 0.8.5",
  "serde_json",
- "thiserror 2.0.11",
+ "thiserror 2.0.12",
  "tokio",
  "tokio-stream",
  "tracing",
@@ -2069,9 +2067,9 @@ checksum = "57c0d7b74b563b49d38dae00a0c37d4d6de9b432382b2892f0574ddcae73fd0a"
 
 [[package]]
 name = "pem"
-version = "3.0.4"
+version = "3.0.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8e459365e590736a54c3fa561947c84837534b8e9af6fc5bf781307e82658fae"
+checksum = "38af38e8470ac9dee3ce1bae1af9c1671fffc44ddfd8bd1d0a3445bf349a8ef3"
 dependencies = [
  "base64 0.22.1",
  "serde",
@@ -2085,20 +2083,20 @@ checksum = "e3148f5046208a5d56bcfc03053e3ca6334e51da8dfb19b6cdc8b306fae3283e"
 
 [[package]]
 name = "pest"
-version = "2.7.14"
+version = "2.7.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "879952a81a83930934cbf1786752d6dedc3b1f29e8f8fb2ad1d0a36f377cf442"
+checksum = "8b7cafe60d6cf8e62e1b9b2ea516a089c008945bb5a275416789e7db0bc199dc"
 dependencies = [
  "memchr",
- "thiserror 1.0.69",
+ "thiserror 2.0.12",
  "ucd-trie",
 ]
 
 [[package]]
 name = "pest_derive"
-version = "2.7.14"
+version = "2.7.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d214365f632b123a47fd913301e14c946c61d1c183ee245fa76eb752e59a02dd"
+checksum = "816518421cfc6887a0d62bf441b6ffb4536fcc926395a69e1a85852d4363f57e"
 dependencies = [
  "pest",
  "pest_generator",
@@ -2106,9 +2104,9 @@ dependencies = [
 
 [[package]]
 name = "pest_generator"
-version = "2.7.14"
+version = "2.7.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "eb55586734301717aea2ac313f50b2eb8f60d2fc3dc01d190eefa2e625f60c4e"
+checksum = "7d1396fd3a870fc7838768d171b4616d5c91f6cc25e377b673d714567d99377b"
 dependencies = [
  "pest",
  "pest_meta",
@@ -2119,9 +2117,9 @@ dependencies = [
 
 [[package]]
 name = "pest_meta"
-version = "2.7.14"
+version = "2.7.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b75da2a70cf4d9cb76833c990ac9cd3923c9a8905a8929789ce347c84564d03d"
+checksum = "e1e58089ea25d717bfd31fb534e4f3afcc2cc569c70de3e239778991ea3b7dea"
 dependencies = [
  "once_cell",
  "pest",
@@ -2130,18 +2128,18 @@ dependencies = [
 
 [[package]]
 name = "pin-project"
-version = "1.1.7"
+version = "1.1.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "be57f64e946e500c8ee36ef6331845d40a93055567ec57e8fae13efd33759b95"
+checksum = "677f1add503faace112b9f1373e43e9e054bfdd22ff1a63c1bc485eaec6a6a8a"
 dependencies = [
  "pin-project-internal",
 ]
 
 [[package]]
 name = "pin-project-internal"
-version = "1.1.7"
+version = "1.1.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3c0f5fad0874fc7abcd4d750e76917eaebbecaa2c20bde22e1dbeeba8beb758c"
+checksum = "6e918e4ff8c4549eb882f14b3a4bc8c8bc93de829416eacf579f1207a8fbf861"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -2150,9 +2148,9 @@ dependencies = [
 
 [[package]]
 name = "pin-project-lite"
-version = "0.2.15"
+version = "0.2.16"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "915a1e146535de9163f3987b8944ed8cf49a18bb0056bcebcdcece385cece4ff"
+checksum = "3b3cff922bd51709b605d9ead9aa71031d81447142d828eb4a6eba76fe619f9b"
 
 [[package]]
 name = "pin-utils"
@@ -2162,9 +2160,9 @@ checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
 
 [[package]]
 name = "pkg-config"
-version = "0.3.31"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "953ec861398dccce10c670dfeaf3ec4911ca479e9c02154b3a215178c5f566f2"
+checksum = "7edddbd0b52d732b21ad9a5fab5c704c14cd949e5e9a1ec5929a24fded1b904c"
 
 [[package]]
 name = "powerfmt"
@@ -2183,9 +2181,9 @@ dependencies = [
 
 [[package]]
 name = "proc-macro2"
-version = "1.0.92"
+version = "1.0.94"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "37d3544b3f2748c54e147655edb5025752e2303145b5aefb3c3ea2c78b973bb0"
+checksum = "a31971752e70b8b2686d7e46ec17fb38dad4051d94024c88df49b667caea9c84"
 dependencies = [
  "unicode-ident",
 ]
@@ -2207,9 +2205,9 @@ dependencies = [
 
 [[package]]
 name = "prost"
-version = "0.13.3"
+version = "0.13.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7b0487d90e047de87f984913713b85c601c05609aad5b0df4b4573fbf69aa13f"
+checksum = "2796faa41db3ec313a31f7624d9286acf277b52de526150b7e69f3debf891ee5"
 dependencies = [
  "bytes",
  "prost-derive",
@@ -2217,9 +2215,9 @@ dependencies = [
 
 [[package]]
 name = "prost-derive"
-version = "0.13.3"
+version = "0.13.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e9552f850d5f0964a4e4d0bf306459ac29323ddfbae05e35a7c0d35cb0803cc5"
+checksum = "8a56d757972c98b346a9b766e3f02746cde6dd1cd1d1d563472929fdd74bec4d"
 dependencies = [
  "anyhow",
  "itertools",
@@ -2236,9 +2234,9 @@ checksum = "106dd99e98437432fed6519dedecfade6a06a73bb7b2a1e019fdd2bee5778d94"
 
 [[package]]
 name = "quote"
-version = "1.0.37"
+version = "1.0.39"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b5b9d34b8991d19d98081b46eacdd8eb58c6f2b201139f7c5f643cc155a633af"
+checksum = "c1f1914ce909e1658d9907913b4b91947430c7d9be598b15a1912935b8c04801"
 dependencies = [
  "proc-macro2",
 ]
@@ -2261,8 +2259,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3779b94aeb87e8bd4e834cee3650289ee9e0d5677f976ecdb6d219e5f4f6cd94"
 dependencies = [
  "rand_chacha 0.9.0",
- "rand_core 0.9.0",
- "zerocopy 0.8.14",
+ "rand_core 0.9.3",
+ "zerocopy 0.8.21",
 ]
 
 [[package]]
@@ -2282,7 +2280,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d3022b5f1df60f26e1ffddd6c66e8aa15de382ae63b3a0c1bfc0e4d3e3f325cb"
 dependencies = [
  "ppv-lite86",
- "rand_core 0.9.0",
+ "rand_core 0.9.3",
 ]
 
 [[package]]
@@ -2296,19 +2294,18 @@ dependencies = [
 
 [[package]]
 name = "rand_core"
-version = "0.9.0"
+version = "0.9.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b08f3c9802962f7e1b25113931d94f43ed9725bebc59db9d0c3e9a23b67e15ff"
+checksum = "99d9a13982dcf210057a8a78572b2217b667c3beacbf3a0d8b454f6f82837d38"
 dependencies = [
- "getrandom 0.3.0",
- "zerocopy 0.8.14",
+ "getrandom 0.3.1",
 ]
 
 [[package]]
 name = "redox_syscall"
-version = "0.5.7"
+version = "0.5.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9b6dfecf2c74bce2466cabf93f6664d6998a69eb21e39f4207930065b27b771f"
+checksum = "0b8c0c260b63a8219631167be35e6a988e9554dbd323f8bd08439c8ed1302bd1"
 dependencies = [
  "bitflags",
 ]
@@ -2365,9 +2362,9 @@ checksum = "2b15c43186be67a4fd63bee50d0303afffcef381492ebe2c5d87f324e1b8815c"
 
 [[package]]
 name = "reqwest"
-version = "0.12.9"
+version = "0.12.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a77c62af46e79de0a562e1a9849205ffcb7fc1238876e9bd743357570e04046f"
+checksum = "43e734407157c3c2034e0258f5e4473ddb361b1e85f95a66690d67264d7cd1da"
 dependencies = [
  "base64 0.22.1",
  "bytes",
@@ -2389,8 +2386,9 @@ dependencies = [
  "serde",
  "serde_json",
  "serde_urlencoded",
- "sync_wrapper 1.0.2",
+ "sync_wrapper",
  "tokio",
+ "tower 0.5.2",
  "tower-service",
  "url",
  "wasm-bindgen",
@@ -2401,15 +2399,14 @@ dependencies = [
 
 [[package]]
 name = "ring"
-version = "0.17.8"
+version = "0.17.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c17fa4cb658e3583423e915b9f3acc01cceaee1860e33d59ebae66adc3a2dc0d"
+checksum = "70ac5d832aa16abd7d1def883a8545280c20a60f523a370aa3a9617c2b8550ee"
 dependencies = [
  "cc",
  "cfg-if",
  "getrandom 0.2.15",
  "libc",
- "spin",
  "untrusted",
  "windows-sys 0.52.0",
 ]
@@ -2431,9 +2428,9 @@ dependencies = [
 
 [[package]]
 name = "rustls"
-version = "0.23.19"
+version = "0.23.23"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "934b404430bb06b3fae2cba809eb45a1ab1aecd64491213d7c3301b88393f8d1"
+checksum = "47796c98c480fce5406ef69d1c76378375492c3b0a0de587be0c1d9feb12f395"
 dependencies = [
  "log",
  "once_cell",
@@ -2466,7 +2463,7 @@ dependencies = [
  "openssl-probe",
  "rustls-pki-types",
  "schannel",
- "security-framework 3.0.1",
+ "security-framework 3.2.0",
 ]
 
 [[package]]
@@ -2480,9 +2477,9 @@ dependencies = [
 
 [[package]]
 name = "rustls-pki-types"
-version = "1.10.0"
+version = "1.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "16f1201b3c9a7ee8039bcadc17b7e605e2945b27eee7631788c1bd2b0643674b"
+checksum = "917ce264624a4b4db1c364dcc35bfca9ded014d0a958cd47ad3e960e988ea51c"
 
 [[package]]
 name = "rustls-webpki"
@@ -2497,15 +2494,15 @@ dependencies = [
 
 [[package]]
 name = "rustversion"
-version = "1.0.18"
+version = "1.0.20"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0e819f2bc632f285be6d7cd36e25940d45b2391dd6d9b939e79de557f7014248"
+checksum = "eded382c5f5f786b989652c49544c4877d9f015cc22e145a5ea8ea66c2921cd2"
 
 [[package]]
 name = "ryu"
-version = "1.0.18"
+version = "1.0.20"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f3cb5ba0dc43242ce17de99c180e96db90b235b8a9fdc9543c96d2209116bd9f"
+checksum = "28d3b2b1366ec20994f1fd18c3c594f05c5dd4bc44d8bb0c1c632c8d6829481f"
 
 [[package]]
 name = "schannel"
@@ -2571,9 +2568,9 @@ dependencies = [
 
 [[package]]
 name = "security-framework"
-version = "3.0.1"
+version = "3.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e1415a607e92bec364ea2cf9264646dcce0f91e6d65281bd6f2819cca3bf39c8"
+checksum = "271720403f46ca04f7ba6f55d438f8bd878d6b8ca0a1046e8228c4145bcbb316"
 dependencies = [
  "bitflags",
  "core-foundation 0.10.0",
@@ -2584,9 +2581,9 @@ dependencies = [
 
 [[package]]
 name = "security-framework-sys"
-version = "2.12.1"
+version = "2.14.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fa39c7303dc58b5543c94d22c1766b0d31f2ee58306363ea622b10bbc075eaa2"
+checksum = "49db231d56a190491cb4aeda9527f1ad45345af50b0851622a7adb8c03b01c32"
 dependencies = [
  "core-foundation-sys",
  "libc",
@@ -2594,9 +2591,9 @@ dependencies = [
 
 [[package]]
 name = "semver"
-version = "1.0.23"
+version = "1.0.26"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "61697e0a1c7e512e84a621326239844a24d8207b4669b41bc18b32ea5cbf988b"
+checksum = "56e6fa9c48d24d85fb3de5ad847117517440f6beceb7798af16b4a87d616b8d0"
 
 [[package]]
 name = "serde"
@@ -2641,9 +2638,9 @@ dependencies = [
 
 [[package]]
 name = "serde_json"
-version = "1.0.139"
+version = "1.0.140"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "44f86c3acccc9c65b153fe1b85a3be07fe5515274ec9f0653b4a0875731c72a6"
+checksum = "20068b6e96dc6c9bd23e01df8827e6c7e1f2fddd43c21810382803c136b99373"
 dependencies = [
  "itoa",
  "memchr",
@@ -2673,7 +2670,7 @@ dependencies = [
  "chrono",
  "hex",
  "indexmap 1.9.3",
- "indexmap 2.6.0",
+ "indexmap 2.7.1",
  "serde",
  "serde_derive",
  "serde_json",
@@ -2699,7 +2696,7 @@ version = "0.9.34+deprecated"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6a8b1a1a2ebf674015cc02edccce75287f1a0130d394307b36743c2f5d504b47"
 dependencies = [
- "indexmap 2.6.0",
+ "indexmap 2.7.1",
  "itoa",
  "ryu",
  "serde",
@@ -2763,26 +2760,20 @@ dependencies = [
 
 [[package]]
 name = "smallvec"
-version = "1.13.2"
+version = "1.14.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67"
+checksum = "7fcf8323ef1faaee30a44a340193b1ac6814fd9b7b4e88e9d4519a3e4abe1cfd"
 
 [[package]]
 name = "socket2"
-version = "0.5.7"
+version = "0.5.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ce305eb0b4296696835b71df73eb912e0f1ffd2556a501fcede6e0c50349191c"
+checksum = "c970269d99b64e60ec3bd6ad27270092a5394c4e309314b18ae3fe575695fbe8"
 dependencies = [
  "libc",
  "windows-sys 0.52.0",
 ]
 
-[[package]]
-name = "spin"
-version = "0.9.8"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6980e8d7511241f8acf4aebddbb1ff938df5eebe98691418c4468d0b72a96a67"
-
 [[package]]
 name = "stable_deref_trait"
 version = "1.2.0"
@@ -2803,21 +2794,15 @@ checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292"
 
 [[package]]
 name = "syn"
-version = "2.0.89"
+version = "2.0.99"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "44d46482f1c1c87acd84dea20c1bf5ebff4c757009ed6bf19cfd36fb10e92c4e"
+checksum = "e02e925281e18ffd9d640e234264753c43edc62d64b2d4cf898f1bc5e75f3fc2"
 dependencies = [
  "proc-macro2",
  "quote",
  "unicode-ident",
 ]
 
-[[package]]
-name = "sync_wrapper"
-version = "0.1.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2047c6ded9c721764247e62cd3b03c09ffc529b2ba5b10ec482ae507a4a70160"
-
 [[package]]
 name = "sync_wrapper"
 version = "1.0.2"
@@ -2849,11 +2834,11 @@ dependencies = [
 
 [[package]]
 name = "thiserror"
-version = "2.0.11"
+version = "2.0.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d452f284b73e6d76dd36758a0c8684b1d5be31f92b89d07fd5822175732206fc"
+checksum = "567b8a2dae586314f7be2a752ec7474332959c6460e02bde30d702a66d488708"
 dependencies = [
- "thiserror-impl 2.0.11",
+ "thiserror-impl 2.0.12",
 ]
 
 [[package]]
@@ -2869,9 +2854,9 @@ dependencies = [
 
 [[package]]
 name = "thiserror-impl"
-version = "2.0.11"
+version = "2.0.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "26afc1baea8a989337eeb52b6e72a039780ce45c3edfcc9c5b9d112feeb173c2"
+checksum = "7f7cf42b4507d8ea322120659672cf1b9dbb93f8f2d4ecfd6e51350ff5b17a1d"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -2890,9 +2875,9 @@ dependencies = [
 
 [[package]]
 name = "time"
-version = "0.3.36"
+version = "0.3.37"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5dfd88e563464686c916c7e46e623e520ddc6d79fa6641390f2e3fa86e83e885"
+checksum = "35e7868883861bd0e56d9ac6efcaaca0d6d5d82a2a7ec8209ff492c07cf37b21"
 dependencies = [
  "deranged",
  "itoa",
@@ -2911,9 +2896,9 @@ checksum = "ef927ca75afb808a4d64dd374f00a2adf8d0fcff8e7b184af886c3c87ec4a3f3"
 
 [[package]]
 name = "time-macros"
-version = "0.2.18"
+version = "0.2.19"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3f252a68540fde3a3877aeea552b832b40ab9a69e318efd078774a01ddee1ccf"
+checksum = "2834e6017e3e5e4b9834939793b282bc03b37a3336245fa820e35e233e2a85de"
 dependencies = [
  "num-conv",
  "time-core",
@@ -2960,20 +2945,19 @@ dependencies = [
 
 [[package]]
 name = "tokio-rustls"
-version = "0.26.0"
+version = "0.26.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0c7bc40d0e5a97695bb96e27995cd3a08538541b0a846f65bba7a359f36700d4"
+checksum = "8e727b36a1a0e8b74c376ac2211e40c2c8af09fb4013c60d910495810f008e9b"
 dependencies = [
  "rustls",
- "rustls-pki-types",
  "tokio",
 ]
 
 [[package]]
 name = "tokio-stream"
-version = "0.1.16"
+version = "0.1.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4f4e6ce100d0eb49a2734f8c0812bcd324cf357d21810932c5df6b96ef2b86f1"
+checksum = "eca58d7bba4a75707817a2c44174253f9236b2d5fbd055602e9d5c07c139a047"
 dependencies = [
  "futures-core",
  "pin-project-lite",
@@ -2995,9 +2979,9 @@ dependencies = [
 
 [[package]]
 name = "tokio-util"
-version = "0.7.12"
+version = "0.7.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "61e7c3654c13bcd040d4a03abee2c75b1d14a37b423cf5a813ceae1cc903ec6a"
+checksum = "d7fcaa8d55a2bdd6b83ace262b016eca0d79ee02818c5c1bcdf0305114081078"
 dependencies = [
  "bytes",
  "futures-core",
@@ -3018,7 +3002,7 @@ dependencies = [
  "axum",
  "base64 0.22.1",
  "bytes",
- "h2 0.4.7",
+ "h2 0.4.8",
  "http 1.2.0",
  "http-body",
  "http-body-util",
@@ -3059,14 +3043,14 @@ dependencies = [
 
 [[package]]
 name = "tower"
-version = "0.5.1"
+version = "0.5.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2873938d487c3cfb9aed7546dc9f2711d867c9f90c46b889989a2cb84eba6b4f"
+checksum = "d039ad9159c98b70ecfd540b2573b97f7f52c3e8d9f8ad57a24b916a536975f9"
 dependencies = [
  "futures-core",
  "futures-util",
  "pin-project-lite",
- "sync_wrapper 0.1.2",
+ "sync_wrapper",
  "tokio",
  "tokio-util",
  "tower-layer",
@@ -3219,9 +3203,9 @@ checksum = "e421abadd41a4225275504ea4d6566923418b7f05506fbc9c0fe86ba7396114b"
 
 [[package]]
 name = "typenum"
-version = "1.17.0"
+version = "1.18.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "42ff0bf0c66b8238c6f3b578df37d0b7848e55df8577b3f74f92a69acceeb825"
+checksum = "1dccffe3ce07af9386bfd29e80c0ab1a8205a2fc34e4bcd40364df902cfa8f3f"
 
 [[package]]
 name = "ucd-trie"
@@ -3231,9 +3215,9 @@ checksum = "2896d95c02a80c6d6a5d6e953d479f5ddf2dfdb6a244441010e373ac0fb88971"
 
 [[package]]
 name = "unicode-ident"
-version = "1.0.14"
+version = "1.0.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "adb9e6ca4f869e1180728b7950e35922a7fc6397f7b641499e8f3ef06e50dc83"
+checksum = "5a5f39404a5da50712a4c1eecf25e90dd62b613502b7e925fd4e4d19b5c96512"
 
 [[package]]
 name = "unsafe-libyaml"
@@ -3278,9 +3262,9 @@ checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821"
 
 [[package]]
 name = "valuable"
-version = "0.1.0"
+version = "0.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "830b7e5d4d90034032940e4ace0d9a9a057e7a45cd94e6c007832e39edb82f6d"
+checksum = "ba73ea9cf16a25df0c8caa16c51acb937d5712a8429db78a3ee29d5dcacd3a65"
 
 [[package]]
 name = "version_check"
@@ -3314,24 +3298,24 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen"
-version = "0.2.95"
+version = "0.2.100"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "128d1e363af62632b8eb57219c8fd7877144af57558fb2ef0368d0087bddeb2e"
+checksum = "1edc8929d7499fc4e8f0be2262a241556cfc54a0bea223790e71446f2aab1ef5"
 dependencies = [
  "cfg-if",
  "once_cell",
+ "rustversion",
  "wasm-bindgen-macro",
 ]
 
 [[package]]
 name = "wasm-bindgen-backend"
-version = "0.2.95"
+version = "0.2.100"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cb6dd4d3ca0ddffd1dd1c9c04f94b868c37ff5fac97c30b97cff2d74fce3a358"
+checksum = "2f0a0651a5c2bc21487bde11ee802ccaf4c51935d0d3d42a6101f98161700bc6"
 dependencies = [
  "bumpalo",
  "log",
- "once_cell",
  "proc-macro2",
  "quote",
  "syn",
@@ -3340,21 +3324,22 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-futures"
-version = "0.4.45"
+version = "0.4.50"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cc7ec4f8827a71586374db3e87abdb5a2bb3a15afed140221307c3ec06b1f63b"
+checksum = "555d470ec0bc3bb57890405e5d4322cc9ea83cebb085523ced7be4144dac1e61"
 dependencies = [
  "cfg-if",
  "js-sys",
+ "once_cell",
  "wasm-bindgen",
  "web-sys",
 ]
 
 [[package]]
 name = "wasm-bindgen-macro"
-version = "0.2.95"
+version = "0.2.100"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e79384be7f8f5a9dd5d7167216f022090cf1f9ec128e6e6a482a2cb5c5422c56"
+checksum = "7fe63fc6d09ed3792bd0897b314f53de8e16568c2b3f7982f468c0bf9bd0b407"
 dependencies = [
  "quote",
  "wasm-bindgen-macro-support",
@@ -3362,9 +3347,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-macro-support"
-version = "0.2.95"
+version = "0.2.100"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "26c6ab57572f7a24a4985830b120de1594465e5d500f24afe89e16b4e833ef68"
+checksum = "8ae87ea40c9f689fc23f209965b6fb8a99ad69aeeb0231408be24920604395de"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -3375,15 +3360,18 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-shared"
-version = "0.2.95"
+version = "0.2.100"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "65fc09f10666a9f147042251e0dda9c18f166ff7de300607007e96bdebc1068d"
+checksum = "1a05d73b933a847d6cccdda8f838a22ff101ad9bf93e33684f39c1f5f0eece3d"
+dependencies = [
+ "unicode-ident",
+]
 
 [[package]]
 name = "web-sys"
-version = "0.3.72"
+version = "0.3.77"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f6488b90108c040df0fe62fa815cbdee25124641df01814dd7282749234c6112"
+checksum = "33b6dd2ef9186f1f2072e409e99cd22a975331a6b3591b12c764e0e55c60d5d2"
 dependencies = [
  "js-sys",
  "wasm-bindgen",
@@ -3615,11 +3603,11 @@ dependencies = [
 
 [[package]]
 name = "zerocopy"
-version = "0.8.14"
+version = "0.8.21"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a367f292d93d4eab890745e75a778da40909cab4d6ff8173693812f79c4a2468"
+checksum = "dcf01143b2dd5d134f11f545cf9f1431b13b749695cb33bcce051e7568f99478"
 dependencies = [
- "zerocopy-derive 0.8.14",
+ "zerocopy-derive 0.8.21",
 ]
 
 [[package]]
@@ -3635,9 +3623,9 @@ dependencies = [
 
 [[package]]
 name = "zerocopy-derive"
-version = "0.8.14"
+version = "0.8.21"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d3931cb58c62c13adec22e38686b559c86a30565e16ad6e8510a337cedc611e1"
+checksum = "712c8386f4f4299382c9abee219bee7084f78fb939d88b6840fcc1320d5f6da2"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -3646,18 +3634,18 @@ dependencies = [
 
 [[package]]
 name = "zerofrom"
-version = "0.1.5"
+version = "0.1.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cff3ee08c995dee1859d998dea82f7374f2826091dd9cd47def953cae446cd2e"
+checksum = "50cc42e0333e05660c3587f3bf9d0478688e15d870fab3346451ce7f8c9fbea5"
 dependencies = [
  "zerofrom-derive",
 ]
 
 [[package]]
 name = "zerofrom-derive"
-version = "0.1.5"
+version = "0.1.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "595eed982f7d355beb85837f651fa22e90b3c044842dc7f2c2842c086f295808"
+checksum = "d71e5d6e06ab090c67b5e44993ec16b72dcbaabc526db883a360057678b48502"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -3695,27 +3683,27 @@ dependencies = [
 
 [[package]]
 name = "zstd"
-version = "0.13.2"
+version = "0.13.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fcf2b778a664581e31e389454a7072dab1647606d44f7feea22cd5abb9c9f3f9"
+checksum = "e91ee311a569c327171651566e07972200e76fcfe2242a4fa446149a3881c08a"
 dependencies = [
  "zstd-safe",
 ]
 
 [[package]]
 name = "zstd-safe"
-version = "7.2.1"
+version = "7.2.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "54a3ab4db68cea366acc5c897c7b4d4d1b8994a9cd6e6f841f8964566a419059"
+checksum = "f3051792fbdc2e1e143244dc28c60f73d8470e93f3f9cbd0ead44da5ed802722"
 dependencies = [
  "zstd-sys",
 ]
 
 [[package]]
 name = "zstd-sys"
-version = "2.0.13+zstd.1.5.6"
+version = "2.0.14+zstd.1.5.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "38ff0f21cfee8f97d94cef41359e0c89aa6113028ab0291aa8ca0038995a95aa"
+checksum = "8fb060d4926e4ac3a3ad15d864e99ceb5f343c6b34f5bd6d81ae6ed417311be5"
 dependencies = [
  "cc",
  "pkg-config",
diff --git a/Cargo.toml b/Cargo.toml
index 2876673..9b140e2 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -34,7 +34,7 @@ actix-web = "4.9.0"
 futures = "0.3.28"
 tokio = { version = "1.43.0", features = ["macros", "rt-multi-thread"] }
 k8s-openapi = { version = "0.24", features = ["latest", "schemars"] }
-kube = { version = "0.98", features = [
+kube = { version = "0.98.0", features = [
     "runtime",
     "client",
     "derive",
@@ -58,9 +58,12 @@ tonic = { version = "0.12.3", optional = true }
 thiserror = "2.0.11"
 anyhow = "1.0.96"
 base64 = "0.22.1"
-clap = { version = "4.5.30", features = ["derive"] }
+clap = { version = "4.5.31", features = ["derive"] }
 cluster-api-rs = "1.9.5"
-fleet-api-rs = "0.11.4"
+fleet-api-rs = "0.11.5"
+async-broadcast = "0.7.2"
+pin-project = "1.1.10"
+async-stream = "0.3.6"
 
 [dev-dependencies]
 assert-json-diff = "2.0.2"
diff --git a/README.md b/README.md
index 710b240..20b42b9 100644
--- a/README.md
+++ b/README.md
@@ -27,11 +27,11 @@ Refer to the book [configuration](./docs/book/03_tutorials/02_configuration) sec
 
 ## Demo
 
-<script src="https://asciinema.org/a/659626.js" id="asciicast-659626" async="true"></script>
+[![asciicast](https://asciinema.org/a/659626.svg)](https://asciinema.org/a/659626)
 
 ## Calico CNI installation demo
 
-<script src="https://asciinema.org/a/700924.js" id="asciicast-700924" async="true"></script>
+[![asciicast](https://asciinema.org/a/700924.svg)](https://asciinema.org/a/700924)
 
 ## Get in contact
 
diff --git a/config/crds/fleet-addon-config.yaml b/config/crds/fleet-addon-config.yaml
index 378e767..a452b16 100644
--- a/config/crds/fleet-addon-config.yaml
+++ b/config/crds/fleet-addon-config.yaml
@@ -122,6 +122,35 @@ spec:
                     description: Namespace selection for the fleet agent
                     nullable: true
                     type: string
+                  agentTolerations:
+                    description: Agent taint toleration settings for every cluster
+                    items:
+                      description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
+                      properties:
+                        effect:
+                          description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+                          nullable: true
+                          type: string
+                        key:
+                          description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+                          nullable: true
+                          type: string
+                        operator:
+                          description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
+                          nullable: true
+                          type: string
+                        tolerationSeconds:
+                          description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
+                          format: int64
+                          nullable: true
+                          type: integer
+                        value:
+                          description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
+                          nullable: true
+                          type: string
+                      type: object
+                    nullable: true
+                    type: array
                   applyClassGroup:
                     description: Apply a ClusterGroup for a ClusterClass referenced from a different namespace.
                     nullable: true
@@ -131,7 +160,7 @@ spec:
                     nullable: true
                     type: boolean
                   namespaceSelector:
-                    description: 'Namespace label selector. If set, only clusters in the namespace matching label selector will be imported. WARN: this field controls the state of opened watches to the cluster. If changed, requires controller to be reloaded.'
+                    description: Namespace label selector. If set, only clusters in the namespace matching label selector will be imported.
                     properties:
                       matchExpressions:
                         description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -178,7 +207,7 @@ spec:
                     nullable: true
                     type: boolean
                   selector:
-                    description: 'Cluster label selector. If set, only clusters matching label selector will be imported. WARN: this field controls the state of opened watches to the cluster. If changed, requires controller to be reloaded.'
+                    description: Cluster label selector. If set, only clusters matching label selector will be imported.
                     properties:
                       matchExpressions:
                         description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
diff --git a/docs/src/02_getting_started/02_configuration.md b/docs/src/02_getting_started/02_configuration.md
index 1311c05..c323041 100644
--- a/docs/src/02_getting_started/02_configuration.md
+++ b/docs/src/02_getting_started/02_configuration.md
@@ -29,7 +29,7 @@ spec:
     server:
       inferLocal: true # Uses default `kuberenetes` endpoint and secret for APIServerURL configuration
   install:
-    version: v0.12.0-alpha.14 # We will install alpha for helmapp support
+    version: v0.12.0-beta.1 # We will install alpha for helmapp support
 ```
 
 ### Fleet Public URL and Certificate setup
@@ -52,7 +52,7 @@ spec:
     server:
       inferLocal: true # Uses default `kuberenetes` endpoint and secret for APIServerURL configuration
   install:
-    version: v0.12.0-alpha.14 # We will install alpha for helmapp support
+    version: v0.12.0-beta.1 # We will install alpha for helmapp support
 ```
 
 This scenario works well in a test setup, while using CAPI docker provider and docker clusters.
diff --git a/docs/src/03_tutorials/01_prerequisites.md b/docs/src/03_tutorials/01_prerequisites.md
index 2b9579f..b70400c 100644
--- a/docs/src/03_tutorials/01_prerequisites.md
+++ b/docs/src/03_tutorials/01_prerequisites.md
@@ -27,8 +27,8 @@ kubectl config view -o json --raw | jq -r '.clusters[] | select(.name=="kind-dev
 # Set the API server URL
 API_SERVER_URL=`kubectl config view -o json --raw | jq -r '.clusters[] | select(.name=="kind-dev").cluster["server"]'`
 # And proceed with the installation via helm
-helm -n cattle-fleet-system install --version v0.12.0-alpha.14 --create-namespace --wait fleet-crd fleet/fleet-crd
-helm install --create-namespace --version v0.12.0-alpha.14 -n cattle-fleet-system --set apiServerURL=$API_SERVER_URL --set-file apiServerCA=_out/ca.pem fleet fleet/fleet --wait
+helm -n cattle-fleet-system install --version v0.12.0-beta.1 --create-namespace --wait fleet-crd fleet/fleet-crd
+helm install --create-namespace --version v0.12.0-beta.1 -n cattle-fleet-system --set apiServerURL=$API_SERVER_URL --set-file apiServerCA=_out/ca.pem fleet fleet/fleet --wait
 ```
 4. Install CAPI with the required experimental features enabled and initialized the Docker provider for testing.
 ```
diff --git a/docs/src/03_tutorials/02_installing_kindnet_cni.md b/docs/src/03_tutorials/02_installing_kindnet_cni.md
index 162dc91..10faeaf 100644
--- a/docs/src/03_tutorials/02_installing_kindnet_cni.md
+++ b/docs/src/03_tutorials/02_installing_kindnet_cni.md
@@ -47,3 +47,7 @@ This should result in a `kindnet` running on the matching cluster:
 kube-system         kindnet-dqzwh                                         1/1     Running   0          2m11s
 kube-system         kindnet-jbkjq                                         1/1     Running   0          2m11s
 ```
+
+### Demo
+
+<script src="https://asciinema.org/a/6x8WmsCXJQdDswAwfYHQlaVsj.js" id="asciicast-6x8WmsCXJQdDswAwfYHQlaVsj" async="true" data-start-at="327"></script>
\ No newline at end of file
diff --git a/docs/src/03_tutorials/03_installing_calico.md b/docs/src/03_tutorials/03_installing_calico.md
index cdac351..ff35db8 100644
--- a/docs/src/03_tutorials/03_installing_calico.md
+++ b/docs/src/03_tutorials/03_installing_calico.md
@@ -3,7 +3,8 @@
 <div class="warning">
 
 Note: For this setup to work, you need to install Fleet and Fleet CRDs charts via
-`FleetAddonConfig` resource. Both need to have version version >= v0.12.0-alpha.14, which provides support
+`FleetAddonConfig` resource. Both need to have version >= v0.12.0-beta.1,
+which provides support for `HelmApp` resource.
 
 </div>
 
@@ -13,7 +14,7 @@ In this tutorial we will deploy `Calico` CNI using `HelmApp` resource and `Fleet
 
 Here's an example of how a `HelmApp` resource can be used in combination with templateValues to deploy application consistently on any matching cluster.
 
-In this scenario we are matching cluster directly by name, using `clusterName` reference, but a `clusterGroup` or a label based selection can be used instead:
+In this scenario we are matching cluster directly by name, using `clusterName` reference, but a `clusterGroup` or a label based selection can be used instead or together with `clusterName`:
 ```yaml
   targets:
   - clusterName: docker-demo
@@ -22,33 +23,7 @@ In this scenario we are matching cluster directly by name, using `clusterName` r
 We are deploying `HelmApp` resource in the `default` namespace. The namespace should be the same for the CAPI Cluster for fleet to locate it.
 
 ```yaml
-apiVersion: fleet.cattle.io/v1alpha1
-kind: HelmApp
-metadata:
-  name: calico
-spec:
-  helm:
-    releaseName: projectcalico
-    repo: https://docs.tigera.io/calico/charts
-    chart: tigera-operator
-    templateValues:
-      installation: |-
-        cni:
-          type: Calico
-          ipam:
-            type: HostLocal
-        calicoNetwork:
-          bgp: Disabled
-          mtu: 1350
-          ipPools:
-            ${- range $cidr := .ClusterValues.Cluster.spec.clusterNetwork.pods.cidrBlocks }
-            - cidr: "${ $cidr }"
-              encapsulation: None
-              natOutgoing: Enabled
-              nodeSelector: all()${- end}
-  insecureSkipTLSVerify: true
-  targets:
-  - clusterName: docker-demo
+{{#include ../../../testdata/helm.yaml}}
 ```
 
 `HelmApp` supports fleet [templating][] options, otherwise available exclusively to the `fleet.yaml` configuration, stored in the [git repository contents][], and applied via the `GitRepo` resource.
diff --git a/docs/src/03_tutorials/04_installing_calico_via_gitrepo.md b/docs/src/03_tutorials/04_installing_calico_via_gitrepo.md
new file mode 100644
index 0000000..7357052
--- /dev/null
+++ b/docs/src/03_tutorials/04_installing_calico_via_gitrepo.md
@@ -0,0 +1,98 @@
+# Installing Calico CNI using GitRepo
+
+<div class="warning">
+
+Note: For this setup to work, you need have Fleet and Fleet CRDs charts installed
+with version >= `v0.12.0-alpha.14`.
+
+</div>
+
+In this tutorial we will deploy `Calico` CNI using `GitRepo` resource on `RKE2` based docker cluster.
+
+## Deploying RKE2 docker cluster
+
+We will first need to create a RKE2 based docker cluster from templates:
+
+```bash
+> kubectl apply -f testdata/cluster_docker_rke2.yaml
+dockercluster.infrastructure.cluster.x-k8s.io/docker-demo created
+cluster.cluster.x-k8s.io/docker-demo created
+dockermachinetemplate.infrastructure.cluster.x-k8s.io/docker-demo-control-plane created
+rke2controlplane.controlplane.cluster.x-k8s.io/docker-demo-control-plane created
+dockermachinetemplate.infrastructure.cluster.x-k8s.io/docker-demo-md-0 created
+rke2configtemplate.bootstrap.cluster.x-k8s.io/docker-demo-md-0 created
+machinedeployment.cluster.x-k8s.io/docker-demo-md-0 created
+configmap/docker-demo-lb-config created
+```
+
+In this scenario cluster is located in the `default` namespace, where the rest of fleet objects will go.
+Cluster is labeled with `cni: calico` in order for the `GitRepo` to match on it.
+
+```yaml
+apiVersion: cluster.x-k8s.io/v1beta1
+kind: Cluster
+metadata:
+  name: docker-demo
+  labels:
+    cni: calico
+```
+
+Now that cluster is created, `GitRepo` can be applied which will be evaluated asynchroniously.
+
+## Deploying Calico CNI via `GitRepo`
+
+We will first review the content of our `fleet.yaml` file:
+
+```yaml
+{{#include ../../../fleet/applications/calico/fleet.yaml}}
+```
+
+In this scenario we are using `helm` definition which is consistent with the `HelmApp` spec from the [previous][] guide, and defines same templating rules.
+
+We also need to [resolve conflicts][], which happen due to in-place modification of some resources by the `calico` controllers. For that, the `diff` section is used, where we remove blocking fields from comparison.
+
+[previous]: ./03_installing_calico.md
+[resolve conflicts]: https://fleet.rancher.io/bundle-diffs
+
+Then we are specifying `targets.yaml` file, which will declare selection rules for this `fleet.yaml` configuration. In our case, we will match on clusters labeled with `cni: calico` label:
+
+```yaml
+{{#include ../../../fleet/applications/calico/targets.yaml}}
+```
+
+Once everything is ready, we need to apply our `GitRepo` in the `default` namespace:
+
+```yaml
+{{#include ../../../testdata/gitrepo-calico.yaml}}
+```
+
+```bash
+> kubectl apply -f testdata/gitrepo-calico.yaml
+gitrepo.fleet.cattle.io/calico created
+# After some time
+> kubectl get gitrepo
+NAME     REPO                                                                     COMMIT                                     BUNDLEDEPLOYMENTS-READY   STATUS
+calico   https://github.com/rancher-sandbox/cluster-api-addon-provider-fleet.git   62b4fe6944687e02afb331b9e1839e33c539f0c7   1/1
+```
+
+Now our cluster have `calico` installed, and all nodes are marked as `Ready`:
+
+```bash
+# exec into one of the CP node containers
+> docker exec -it fef3427009f6 /bin/bash
+root@docker-demo-control-plane-krtnt:/#
+root@docker-demo-control-plane-krtnt:/# kubectl get pods -n calico-system --kubeconfig /var/lib/rancher/rke2/server/cred/api-server.kubeconfig
+NAME                                       READY   STATUS    RESTARTS   AGE
+calico-kube-controllers-55cbcc7467-j5bbd   1/1     Running   0          3m30s
+calico-node-mbrqg                          1/1     Running   0          3m30s
+calico-node-wlbwn                          1/1     Running   0          3m30s
+calico-typha-f48c7ddf7-kbq6d               1/1     Running   0          3m30s
+csi-node-driver-87tlx                      2/2     Running   0          3m30s
+csi-node-driver-99pqw                      2/2     Running   0          3m30s
+```
+
+## Demo
+
+You can follow along with the demo to verify that your deployment is matching expected result:
+
+<script src="https://asciinema.org/a/706570.js" id="asciicast-706570" async="true"></script>
\ No newline at end of file
diff --git a/docs/src/04_reference/01_import-strategy.md b/docs/src/04_reference/01_import-strategy.md
index 7a6456c..1b5de75 100644
--- a/docs/src/04_reference/01_import-strategy.md
+++ b/docs/src/04_reference/01_import-strategy.md
@@ -19,8 +19,6 @@ Fleet mainly relies on `Cluster` labels, `Cluster` names and `ClusterGroups` whe
 
 `FleetAddonConfig` provides several configuration options to define clusters to import.
 
-**Note: Please be aware that chaning selection configuration requires restart of the `CAAPF` instance, as these selection options directly translate into watch configurations for controllers established on the `API` server.**
-
 ### Namespace Label Selection
 
 This section defines how to select namespaces based on specific labels. The `namespaceSelector` field ensures that the import strategy applies only to namespaces that have the label `import: "true"`. This is useful for scoping automatic import to specific namespaces rather than applying it cluster-wide.
diff --git a/fleet/applications/calico/fleet.yaml b/fleet/applications/calico/fleet.yaml
new file mode 100644
index 0000000..9b57067
--- /dev/null
+++ b/fleet/applications/calico/fleet.yaml
@@ -0,0 +1,27 @@
+helm:
+  releaseName: projectcalico
+  repo: https://docs.tigera.io/calico/charts
+  chart: tigera-operator
+  templateValues:
+    installation: |-
+      cni:
+        type: Calico
+        ipam:
+          type: HostLocal
+      calicoNetwork:
+        bgp: Disabled
+        mtu: 1350
+        ipPools:
+          ${- range $cidr := .ClusterValues.Cluster.spec.clusterNetwork.pods.cidrBlocks }
+          - cidr: "${ $cidr }"
+            encapsulation: None
+            natOutgoing: Enabled
+            nodeSelector: all()${- end}
+
+diff:
+  comparePatches:
+  - apiVersion: operator.tigera.io/v1
+    kind: Installation
+    name: default
+    operations:
+    - {"op":"remove", "path":"/spec/kubernetesProvider"}
\ No newline at end of file
diff --git a/fleet/applications/calico/targets.yaml b/fleet/applications/calico/targets.yaml
new file mode 100644
index 0000000..60e339d
--- /dev/null
+++ b/fleet/applications/calico/targets.yaml
@@ -0,0 +1,4 @@
+targets:
+- clusterSelector:
+    matchLabels:
+      cni: calico
diff --git a/justfile b/justfile
index 6a07757..0018916 100644
--- a/justfile
+++ b/justfile
@@ -57,7 +57,6 @@ compile features="":  _create-out-dir
 
 [private]
 _build features="":
-  just compile {{features}}
   docker buildx build -t {{ORG}}/{{NAME}}:{{TAG}} .
 
 # docker build base
@@ -77,6 +76,10 @@ docker-build:
 docker-push:
     docker push {{ORG}}/{{NAME}}:{{TAG}}
 
+build-and-load:
+    docker build . -t {{ORG}}/{{NAME}}:{{TAG}}
+    kind load docker-image {{ORG}}/{{NAME}}:{{TAG}} --name dev
+
 load-base features="":
     just _build {{features}}
     kind load docker-image {{ORG}}/{{NAME}}:{{TAG}} --name dev
@@ -100,14 +103,30 @@ deploy-kindnet:
 deploy-calico:
     kubectl --context kind-dev apply -f testdata/helm.yaml
 
+deploy-calico-gitrepo: _download-yq
+    #!/usr/bin/env bash
+    set -euxo pipefail
+    repo=`git remote get-url origin`
+    branch=`git branch --show-current`
+    cp testdata/gitrepo-calico.yaml {{OUT_DIR}}/gitrepo-calico.yaml
+    yq -i ".spec.repo = \"${repo}\"" {{OUT_DIR}}/gitrepo-calico.yaml
+    yq -i ".spec.branch = \"${branch}\"" {{OUT_DIR}}/gitrepo-calico.yaml
+    kubectl apply -f {{OUT_DIR}}/gitrepo-calico.yaml
+
 # Deploy an example app bundle to the cluster
 deploy-app:
     kubectl --context kind-dev apply -f testdata/bundle.yaml
 
 # Deploy child cluster using docker & kubeadm
 deploy-child-cluster:
+    kind delete cluster --name docker-demo || true
     kubectl --context kind-dev apply -f testdata/cluster_docker_kcp.yaml
 
+# Deploy child cluster using docker & rke2
+deploy-child-rke2-cluster:
+    kind delete cluster --name docker-demo || true
+    kubectl --context kind-dev apply -f testdata/cluster_docker_rke2.yaml
+
 # Deploy child cluster-call based cluster using docker & kubeadm
 deploy-child-cluster-class:
     kind delete cluster --name capi-quickstart || true
@@ -115,11 +134,7 @@ deploy-child-cluster-class:
 
 # Add and update helm repos used
 update-helm-repos:
-    #helm repo add gitea-charts https://dl.gitea.com/charts/
     helm repo add fleet https://rancher.github.io/fleet-helm-charts/
-    #helm repo add jetstack https://charts.jetstack.io
-    #helm repo add traefik https://traefik.github.io/charts
-    #helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
     helm repo update
 
 # Install fleet into the k8s cluster
@@ -136,7 +151,7 @@ install-capi: _download-clusterctl
 # Deploy will deploy the operator
 deploy features="": _download-kustomize
     just generate {{features}}
-    just load-base {{features}}
+    just build-and-load
     kustomize build config/default | kubectl apply -f -
     kubectl --context kind-dev apply -f testdata/config.yaml
     kubectl wait fleetaddonconfigs fleet-addon-config --for=jsonpath='{.status.installedVersion}' --timeout=150s
@@ -153,6 +168,12 @@ test-import: start-dev deploy deploy-child-cluster deploy-kindnet deploy-app &&
     kubectl wait cluster --timeout=500s --for=condition=ControlPlaneReady=true docker-demo
     kubectl wait clusters.fleet.cattle.io --timeout=300s --for=condition=Ready=true docker-demo
 
+# Full e2e test of importing cluster in fleet
+test-import-rke2: start-dev deploy deploy-child-rke2-cluster deploy-calico-gitrepo deploy-app
+    kubectl wait pods --for=condition=Ready --timeout=150s --all --all-namespaces
+    kubectl wait cluster --timeout=500s --for=condition=ControlPlaneReady=true docker-demo
+    kubectl wait clusters.fleet.cattle.io --timeout=300s --for=condition=Ready=true docker-demo
+
 collect-test-import:
     -just collect-artifacts dev
     -just collect-artifacts docker-demo
diff --git a/src/api/capi_cluster.rs b/src/api/capi_cluster.rs
index 59d47b6..22903c4 100644
--- a/src/api/capi_cluster.rs
+++ b/src/api/capi_cluster.rs
@@ -1,5 +1,8 @@
 use cluster_api_rs::capi_cluster::{ClusterSpec, ClusterStatus};
-use kube::{api::{ObjectMeta, TypeMeta}, Resource};
+use kube::{
+    api::{ObjectMeta, TypeMeta},
+    Resource,
+};
 use serde::{Deserialize, Serialize};
 
 #[derive(Resource, Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
diff --git a/src/api/capi_clusterclass.rs b/src/api/capi_clusterclass.rs
index 7482c1a..e7af08e 100644
--- a/src/api/capi_clusterclass.rs
+++ b/src/api/capi_clusterclass.rs
@@ -1,5 +1,8 @@
 use cluster_api_rs::capi_clusterclass::{ClusterClassSpec, ClusterClassStatus};
-use kube::{api::{ObjectMeta, TypeMeta}, Resource};
+use kube::{
+    api::{ObjectMeta, TypeMeta},
+    Resource,
+};
 use serde::{Deserialize, Serialize};
 
 #[derive(Resource, Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
diff --git a/src/api/fleet_addon_config.rs b/src/api/fleet_addon_config.rs
index f731331..e91b504 100644
--- a/src/api/fleet_addon_config.rs
+++ b/src/api/fleet_addon_config.rs
@@ -1,4 +1,4 @@
-use fleet_api_rs::fleet_cluster::ClusterAgentEnvVars;
+use fleet_api_rs::fleet_cluster::{ClusterAgentEnvVars, ClusterAgentTolerations};
 use k8s_openapi::{
     api::core::v1::ObjectReference, apimachinery::pkg::apis::meta::v1::LabelSelector,
 };
@@ -107,6 +107,10 @@ pub struct ClusterConfig {
     #[serde(skip_serializing_if = "Option::is_none")]
     pub agent_namespace: Option<String>,
 
+    /// Agent taint toleration settings for every cluster
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub agent_tolerations: Option<Vec<ClusterAgentTolerations>>,
+
     /// Host network allows to deploy agent configuration using hostNetwork: true setting
     /// which eludes dependency on the CNI configuration for the cluster.
     #[serde(skip_serializing_if = "Option::is_none")]
@@ -134,6 +138,32 @@ impl ClusterConfig {
             .unwrap_or(AGENT_NAMESPACE.to_string())
     }
 
+    pub(crate) fn agent_tolerations(&self) -> Vec<ClusterAgentTolerations> {
+        let agent_tolerations = vec![
+            ClusterAgentTolerations {
+                effect: Some("NoSchedule".into()),
+                operator: Some("Exists".into()),
+                key: Some("node.kubernetes.io/not-ready".into()),
+                ..Default::default()
+            },
+            ClusterAgentTolerations {
+                effect: Some("NoSchedule".into()),
+                operator: Some("Exists".into()),
+                key: Some("node.cluster.x-k8s.io/uninitialized".into()),
+                ..Default::default()
+            },
+            ClusterAgentTolerations {
+                effect: Some("NoSchedule".into()),
+                operator: Some("Equal".into()),
+                key: Some("node.cloudprovider.kubernetes.io/uninitialized".into()),
+                value: Some("true".into()),
+                ..Default::default()
+            },
+        ];
+
+        self.agent_tolerations.clone().unwrap_or(agent_tolerations)
+    }
+
     #[cfg(feature = "agent-initiated")]
     pub(crate) fn agent_initiated_connection(&self) -> bool {
         self.agent_initiated.filter(|&set| set).is_some()
@@ -167,6 +197,7 @@ impl Default for ClusterConfig {
             selectors: Default::default(),
             patch_resource: Some(true),
             agent_env_vars: None,
+            agent_tolerations: None,
         }
     }
 }
@@ -233,11 +264,9 @@ impl NamingStrategy {
 #[serde(rename_all = "camelCase")]
 pub struct Selectors {
     /// Namespace label selector. If set, only clusters in the namespace matching label selector will be imported.
-    /// WARN: this field controls the state of opened watches to the cluster. If changed, requires controller to be reloaded.
     pub namespace_selector: LabelSelector,
 
     /// Cluster label selector. If set, only clusters matching label selector will be imported.
-    /// WARN: this field controls the state of opened watches to the cluster. If changed, requires controller to be reloaded.
     pub selector: LabelSelector,
 }
 
diff --git a/src/api/fleet_cluster.rs b/src/api/fleet_cluster.rs
index 28fdbe8..fc8e3f6 100644
--- a/src/api/fleet_cluster.rs
+++ b/src/api/fleet_cluster.rs
@@ -1,6 +1,9 @@
-use serde::{Deserialize, Serialize};
 use fleet_api_rs::fleet_cluster::{ClusterSpec, ClusterStatus};
-use kube::{api::{ObjectMeta, TypeMeta}, Resource};
+use kube::{
+    api::{ObjectMeta, TypeMeta},
+    Resource,
+};
+use serde::{Deserialize, Serialize};
 
 #[derive(Resource, Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
 #[resource(inherit = fleet_api_rs::fleet_cluster::Cluster)]
diff --git a/src/api/fleet_cluster_registration_token.rs b/src/api/fleet_cluster_registration_token.rs
index 64ae322..08999eb 100644
--- a/src/api/fleet_cluster_registration_token.rs
+++ b/src/api/fleet_cluster_registration_token.rs
@@ -1,8 +1,11 @@
-use serde::{Deserialize, Serialize};
 use fleet_api_rs::fleet_cluster_registration_token::{
     ClusterRegistrationTokenSpec, ClusterRegistrationTokenStatus,
 };
-use kube::{api::{ObjectMeta, TypeMeta}, Resource};
+use kube::{
+    api::{ObjectMeta, TypeMeta},
+    Resource,
+};
+use serde::{Deserialize, Serialize};
 
 #[derive(Resource, Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
 #[resource(inherit = fleet_api_rs::fleet_cluster_registration_token::ClusterRegistrationToken)]
diff --git a/src/api/fleet_clustergroup.rs b/src/api/fleet_clustergroup.rs
index 981aac7..b93466f 100644
--- a/src/api/fleet_clustergroup.rs
+++ b/src/api/fleet_clustergroup.rs
@@ -1,6 +1,9 @@
-use serde::{Deserialize, Serialize};
 use fleet_api_rs::fleet_clustergroup::{ClusterGroupSpec, ClusterGroupStatus};
-use kube::{api::{ObjectMeta, TypeMeta}, Resource};
+use kube::{
+    api::{ObjectMeta, TypeMeta},
+    Resource,
+};
+use serde::{Deserialize, Serialize};
 
 #[derive(Resource, Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
 #[resource(inherit = fleet_api_rs::fleet_clustergroup::ClusterGroup)]
diff --git a/src/controller.rs b/src/controller.rs
index 00a79d1..128ec5f 100644
--- a/src/controller.rs
+++ b/src/controller.rs
@@ -6,13 +6,16 @@ use crate::api::fleet_clustergroup::ClusterGroup;
 use crate::controllers::addon_config::FleetConfig;
 use crate::controllers::controller::{fetch_config, Context, FleetController};
 use crate::metrics::Diagnostics;
+use crate::multi_dispatcher::{broadcaster, BroadcastStream, MultiDispatcher};
 use crate::{Error, Metrics};
 
 use clap::Parser;
 use futures::channel::mpsc;
-use futures::StreamExt;
+use futures::stream::SelectAll;
+use futures::{Stream, StreamExt};
 
 use k8s_openapi::api::core::v1::Namespace;
+use kube::api::{DynamicObject, ListParams};
 use kube::core::DeserializeGuard;
 use kube::runtime::reflector::ObjectRef;
 use kube::runtime::{metadata_watcher, predicates, reflector, watcher, WatchStreamExt};
@@ -26,16 +29,22 @@ use kube::{
     },
 };
 use tokio::sync::Mutex;
+use tokio::time::sleep;
 
 use std::future;
 
 use std::ops::Deref;
+use std::pin::Pin;
 use std::sync::Arc;
 use tokio::{sync::RwLock, time::Duration};
-use tracing::{self, warn};
+use tracing::{self, info, warn};
+
+type DynamicStream = SelectAll<
+    Pin<Box<dyn Stream<Item = Result<watcher::Event<DynamicObject>, watcher::Error>> + Send>>,
+>;
 
 /// State shared between the controller and the web server
-#[derive(Clone, Default)]
+#[derive(Clone)]
 pub struct State {
     /// Diagnostics populated by the reconciler
     diagnostics: Arc<RwLock<Diagnostics>>,
@@ -45,6 +54,11 @@ pub struct State {
 
     /// Additional flags for controller
     pub flags: Flags,
+
+    // dispatcher
+    dispatcher: MultiDispatcher,
+    // shared stream of dynamic events
+    stream: BroadcastStream<DynamicStream>,
 }
 
 #[derive(Parser, Debug, Clone, Default)]
@@ -55,6 +69,12 @@ pub struct Flags {
 }
 
 /// State wrapper around the controller outputs for the web server
+impl Default for State {
+    fn default() -> Self {
+        Self::new()
+    }
+}
+
 impl State {
     pub fn new() -> Self {
         let registry = Default::default();
@@ -62,7 +82,9 @@ impl State {
             metrics: Metrics::default().register(&registry).unwrap(),
             registry,
             flags: Flags::parse(),
-            ..Default::default()
+            dispatcher: MultiDispatcher::new(128),
+            diagnostics: Default::default(),
+            stream: BroadcastStream::new(Default::default()),
         }
     }
 
@@ -82,6 +104,8 @@ impl State {
             client,
             metrics: self.metrics.clone(),
             diagnostics: self.diagnostics.clone(),
+            dispatcher: self.dispatcher.clone(),
+            stream: self.stream.clone(),
         })
     }
 }
@@ -90,20 +114,53 @@ pub async fn run_fleet_addon_config_controller(state: State) {
     let client = Client::try_default()
         .await
         .expect("failed to create kube Client");
-    let api: Api<FleetAddonConfig> = Api::all(client.clone());
-    let fleet_addon_config_controller = Controller::new(api, watcher::Config::default())
-        .watches(
-            Api::<DeserializeGuard<FleetConfig>>::all(client.clone()),
-            Config::default().fields("metadata.name=fleet-controller"),
-            |config| config.0.ok().map(|_| ObjectRef::new("fleet-addon-config")),
-        )
-        .run(
-            FleetAddonConfig::reconcile_config_sync,
-            error_policy,
-            state.to_context(client.clone()),
-        )
+
+    let config_controller = Controller::new(
+        Api::<FleetAddonConfig>::all(client.clone()),
+        Config::default().any_semantic(),
+    )
+    .watches(
+        Api::<DeserializeGuard<FleetConfig>>::all(client.clone()),
+        Config::default().fields("metadata.name=fleet-controller"),
+        |config| config.0.ok().map(|_| ObjectRef::new("fleet-addon-config")),
+    )
+    .shutdown_on_signal()
+    .run(
+        FleetAddonConfig::reconcile_config_sync,
+        error_policy,
+        state.to_context(client.clone()),
+    )
+    .for_each(|_| futures::future::ready(()));
+
+    let dynamic_watches_controller = Controller::new(
+        Api::<FleetAddonConfig>::all(client.clone()),
+        Config::default().any_semantic(),
+    )
+    .shutdown_on_signal()
+    .run(
+        FleetAddonConfig::reconcile_dynamic_watches,
+        error_policy,
+        state.to_context(client.clone()),
+    )
+    .for_each(|_| futures::future::ready(()));
+
+    let watcher = broadcaster(state.dispatcher.clone(), state.stream.clone())
         .for_each(|_| futures::future::ready(()));
-    tokio::join!(fleet_addon_config_controller);
+
+    // Reconcile initial state of watches
+    Arc::new(
+        fetch_config(client.clone())
+            .await
+            .expect("failed to get FleetAddonConfig resource"),
+    )
+    .update_watches(state.to_context(client.clone()))
+    .await
+    .expect("Initial dynamic watches setup to succeed");
+
+    tokio::select! {
+        _ = watcher => {panic!("This should not happen before controllers exit")},
+        _ = futures::future::join(dynamic_watches_controller, config_controller) => {}
+    };
 }
 
 pub async fn run_fleet_helm_controller(state: State) {
@@ -112,6 +169,7 @@ pub async fn run_fleet_helm_controller(state: State) {
         .expect("failed to create kube Client");
     let api: Api<FleetAddonConfig> = Api::all(client.clone());
     let fleet_addon_config_controller = Controller::new(api, watcher::Config::default())
+        .shutdown_on_signal()
         .run(
             FleetAddonConfig::reconcile_helm,
             error_policy,
@@ -127,29 +185,21 @@ pub async fn run_cluster_controller(state: State) {
         .await
         .expect("failed to create kube Client");
 
+    loop {
+        let clusters = Api::<fleet_cluster::Cluster>::all(client.clone());
+        if let Err(e) = clusters.list(&ListParams::default().limit(1)).await {
+            info!("Fleet Clusters are not queryable; {e:?}. Is the CRD installed?");
+            sleep(Duration::new(5, 0)).await;
+            continue;
+        }
+
+        break;
+    }
+
     let config = fetch_config(client.clone())
         .await
         .expect("failed to get FleetAddonConfig resource");
 
-    let (reader, writer) = reflector::store();
-    let clusters = watcher(
-        Api::<Cluster>::all(client.clone()),
-        Config::default()
-            .labels_from(
-                &config
-                    .cluster_watch()
-                    .expect("valid cluster label selector"),
-            )
-            .any_semantic(),
-    )
-    .default_backoff()
-    .modify(|c| {
-        c.managed_fields_mut().clear();
-    })
-    .reflect(writer)
-    .touched_objects()
-    .predicate_filter(predicates::resource_version);
-
     let fleet = metadata_watcher(
         Api::<fleet_cluster::Cluster>::all(client.clone()),
         Config::default().any_semantic(),
@@ -159,7 +209,8 @@ pub async fn run_cluster_controller(state: State) {
     .predicate_filter(predicates::resource_version);
 
     let (invoke_reconcile, namespace_trigger) = mpsc::channel(0);
-    let clusters = Controller::for_stream(clusters, reader)
+    let (sub, reader) = state.dispatcher.subscribe();
+    let clusters = Controller::for_shared_stream(sub, reader)
         .owns_stream(fleet)
         .reconcile_all_on(namespace_trigger)
         .shutdown_on_signal()
@@ -178,28 +229,8 @@ pub async fn run_cluster_controller(state: State) {
         return clusters.await;
     }
 
-    let (reader, writer) = reflector::store();
-    let namespaces = metadata_watcher(
-        Api::<Namespace>::all(client.clone()),
-        Config::default()
-            .labels_from(
-                &config
-                    .namespace_selector()
-                    .expect("valid namespace selector"),
-            )
-            .any_semantic(),
-    )
-    .default_backoff()
-    .modify(|ns| {
-        ns.managed_fields_mut().clear();
-        ns.annotations_mut().clear();
-        ns.labels_mut().clear();
-    })
-    .reflect(writer)
-    .touched_objects()
-    .predicate_filter(predicates::resource_version);
-
-    let ns_controller = Controller::for_stream(namespaces, reader)
+    let (sub, reader) = state.dispatcher.subscribe::<Namespace>();
+    let ns_controller = Controller::for_shared_stream(sub, reader)
         .shutdown_on_signal()
         .run(
             Cluster::reconcile_ns,
diff --git a/src/controllers/addon_config.rs b/src/controllers/addon_config.rs
index c7f73dc..bf77999 100644
--- a/src/controllers/addon_config.rs
+++ b/src/controllers/addon_config.rs
@@ -1,19 +1,24 @@
 use base64::prelude::*;
+use cluster_api_rs::capi_cluster::Cluster;
+use futures::StreamExt as _;
 use std::{fmt::Display, io, str::FromStr, sync::Arc, time::Duration};
 
-use k8s_openapi::api::core::v1::{ConfigMap, Endpoints};
+use k8s_openapi::api::core::v1::{self, ConfigMap, Endpoints};
 use kube::{
-    api::{ObjectMeta, Patch, PatchParams, TypeMeta},
+    api::{ApiResource, ObjectMeta, Patch, PatchParams, TypeMeta},
     client::scope::Namespace,
     core::object::HasSpec,
-    runtime::controller::Action,
+    runtime::{
+        controller::Action,
+        watcher::{self, Config},
+    },
     Api, Resource, ResourceExt,
 };
 use serde::{ser, Deserialize, Serialize};
 use serde_json::Value;
 use serde_with::{serde_as, DisplayFromStr};
 use thiserror::Error;
-use tracing::instrument;
+use tracing::{info, instrument};
 
 use crate::{
     api::fleet_addon_config::{FleetAddonConfig, Install, InstallOptions, Server},
@@ -132,6 +137,52 @@ impl FleetAddonConfig {
         )
         .await?;
 
+        info!("Updated fleet config map");
+
+        Ok(Action::await_change())
+    }
+
+    #[instrument(skip_all, fields(trace_id = display(telemetry::get_trace_id()), name = self.name_any(), namespace = self.namespace()))]
+    pub async fn update_watches(self: Arc<Self>, ctx: Arc<Context>) -> DynamiWatcherResult<Action> {
+        info!("Reconciling dynamic watches");
+        let cluster_selector = self.cluster_watch()?;
+        let ns_selector = self.namespace_selector()?;
+
+        let mut stream = ctx.stream.stream.lock().await;
+        stream.clear();
+
+        stream.push(
+            watcher::watcher(
+                Api::all_with(ctx.client.clone(), &ApiResource::erase::<Cluster>(&())),
+                Config::default()
+                    .labels_from(&cluster_selector)
+                    .any_semantic(),
+            )
+            .boxed(),
+        );
+
+        stream.push(
+            watcher::watcher(
+                Api::all_with(
+                    ctx.client.clone(),
+                    &ApiResource::erase::<v1::Namespace>(&()),
+                ),
+                Config::default().labels_from(&ns_selector).any_semantic(),
+            )
+            .boxed(),
+        );
+
+        info!("Reconciled dynamic watches to match selectors: namespace={ns_selector}, cluster={cluster_selector}");
+        Ok(Action::await_change())
+    }
+
+    #[instrument(skip_all, fields(trace_id = display(telemetry::get_trace_id()), name = self.name_any(), namespace = self.namespace()))]
+    pub async fn reconcile_dynamic_watches(
+        self: Arc<Self>,
+        ctx: Arc<Context>,
+    ) -> crate::Result<Action> {
+        self.update_watches(ctx).await?;
+
         Ok(Action::await_change())
     }
 
@@ -314,6 +365,14 @@ pub enum AddonConfigSyncError {
     CommandError(#[from] io::Error),
 }
 
+pub type DynamiWatcherResult<T> = std::result::Result<T, DynamicWatcherError>;
+
+#[derive(Error, Debug)]
+pub enum DynamicWatcherError {
+    #[error("Invalid selector encountered: {0}")]
+    SelectorParseError(#[from] kube::core::ParseExpressionError),
+}
+
 mod tests {
     #[test]
     fn test() {
diff --git a/src/controllers/cluster.rs b/src/controllers/cluster.rs
index 5ac3163..66ca558 100644
--- a/src/controllers/cluster.rs
+++ b/src/controllers/cluster.rs
@@ -8,7 +8,7 @@ use crate::api::fleet_cluster_registration_token::ClusterRegistrationToken;
 use crate::api::fleet_clustergroup::ClusterGroup;
 use crate::Error;
 use cluster_api_rs::capi_cluster::ClusterTopology;
-use fleet_api_rs::fleet_cluster::{ClusterAgentTolerations, ClusterSpec};
+use fleet_api_rs::fleet_cluster::ClusterSpec;
 use fleet_api_rs::fleet_clustergroup::{ClusterGroupSelector, ClusterGroupSpec};
 use futures::channel::mpsc::Sender;
 use k8s_openapi::api::core::v1::Namespace;
@@ -184,22 +184,6 @@ impl Cluster {
             None | Some(ClusterTopology { .. }) => self.labels().clone(),
         };
 
-        let agent_tolerations = Some(vec![
-            ClusterAgentTolerations {
-                effect: Some("NoSchedule".into()),
-                operator: Some("Equal".into()),
-                key: Some("node.kubernetes.io/not-ready".into()),
-                ..Default::default()
-            },
-            ClusterAgentTolerations {
-                effect: Some("NoSchedule".into()),
-                operator: Some("Equal".into()),
-                key: Some("node.cloudprovider.kubernetes.io/uninitialized".into()),
-                value: Some("true".into()),
-                ..Default::default()
-            },
-        ]);
-
         fleet_cluster::Cluster {
             types: Some(TypeMeta::resource::<fleet_cluster::Cluster>()),
             metadata: ObjectMeta {
@@ -216,18 +200,18 @@ impl Cluster {
                 true => ClusterSpec {
                     client_id: Some(Alphanumeric.sample_string(&mut rand::rng(), 64)),
                     agent_namespace: config.agent_install_namespace().into(),
+                    agent_tolerations: config.agent_tolerations().into(),
                     host_network: config.host_network,
                     agent_env_vars: config.agent_env_vars,
-                    agent_tolerations,
                     ..Default::default()
                 }
                 .into(),
                 false => ClusterSpec {
                     kube_config_secret: Some(format!("{}-kubeconfig", self.name_any())),
                     agent_namespace: config.agent_install_namespace().into(),
+                    agent_tolerations: config.agent_tolerations().into(),
                     host_network: config.host_network,
                     agent_env_vars: config.agent_env_vars,
-                    agent_tolerations,
                     ..Default::default()
                 }
                 .into(),
@@ -236,9 +220,9 @@ impl Cluster {
             spec: ClusterSpec {
                 kube_config_secret: Some(format!("{}-kubeconfig", self.name_any())),
                 agent_namespace: config.agent_install_namespace().into(),
+                agent_tolerations: config.agent_tolerations().into(),
                 host_network: config.host_network,
                 agent_env_vars: config.agent_env_vars,
-                agent_tolerations,
                 ..Default::default()
             },
             ..Default::default()
diff --git a/src/controllers/controller.rs b/src/controllers/controller.rs
index f64d168..61860e6 100644
--- a/src/controllers/controller.rs
+++ b/src/controllers/controller.rs
@@ -1,21 +1,25 @@
 use crate::api::fleet_addon_config::FleetAddonConfig;
 use crate::controllers::PatchError;
 use crate::metrics::Diagnostics;
+use crate::multi_dispatcher::{BroadcastStream, MultiDispatcher};
 use crate::{telemetry, Error, Metrics};
 use chrono::Utc;
 
+use futures::stream::SelectAll;
+use futures::Stream;
 use k8s_openapi::NamespaceResourceScope;
 
-use kube::api::{Patch, PatchParams, PostParams};
+use kube::api::{DynamicObject, Patch, PatchParams, PostParams};
 
 use kube::runtime::events::{Event, EventType};
-use kube::runtime::finalizer;
+use kube::runtime::{finalizer, watcher};
 
 use kube::{api::Api, client::Client, runtime::controller::Action};
 
 use serde::de::DeserializeOwned;
 use serde::Serialize;
 
+use std::pin::Pin;
 use std::sync::Arc;
 use tokio::sync::RwLock;
 use tracing::{self, debug, info, instrument};
@@ -26,6 +30,10 @@ use super::{
 
 pub static FLEET_FINALIZER: &str = "fleet.addons.cluster.x-k8s.io";
 
+type DynamicStream = SelectAll<
+    Pin<Box<dyn Stream<Item = Result<watcher::Event<DynamicObject>, watcher::Error>> + Send>>,
+>;
+
 // Context for the reconciler
 #[derive(Clone)]
 pub struct Context {
@@ -35,6 +43,10 @@ pub struct Context {
     pub diagnostics: Arc<RwLock<Diagnostics>>,
     /// Prom metrics
     pub metrics: Metrics,
+    // Dispatcher for dynamic resource controllers
+    pub dispatcher: MultiDispatcher,
+    // shared stream of dynamic events
+    pub stream: BroadcastStream<DynamicStream>,
 }
 
 pub(crate) async fn get_or_create<R>(ctx: Arc<Context>, res: R) -> GetOrCreateResult<Action>
diff --git a/src/lib.rs b/src/lib.rs
index fb25207..bde3559 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -1,4 +1,7 @@
-use controllers::{addon_config::AddonConfigSyncError, BundleError, SyncError};
+use controllers::{
+    addon_config::{AddonConfigSyncError, DynamicWatcherError},
+    BundleError, SyncError,
+};
 use futures::channel::mpsc::TrySendError;
 use thiserror::Error;
 
@@ -19,6 +22,9 @@ pub enum Error {
     #[error("Fleet config error: {0}")]
     FleetConfigError(#[from] AddonConfigSyncError),
 
+    #[error("Dynamic watcher error: {0}")]
+    DynamicWatcherError(#[from] DynamicWatcherError),
+
     #[error("Namespace trigger error: {0}")]
     TriggerError(#[from] TrySendError<()>),
 
@@ -44,6 +50,7 @@ pub mod controller;
 pub use crate::controller::*;
 pub mod api;
 pub mod controllers;
+mod multi_dispatcher;
 pub mod predicates;
 
 /// Log and trace integrations
diff --git a/src/multi_dispatcher.rs b/src/multi_dispatcher.rs
new file mode 100644
index 0000000..3cb1175
--- /dev/null
+++ b/src/multi_dispatcher.rs
@@ -0,0 +1,236 @@
+use std::{
+    hash::Hash,
+    pin::Pin,
+    sync::Arc,
+    task::{Context, Poll},
+};
+
+use async_broadcast::{InactiveReceiver, Receiver, Sender};
+use async_stream::stream;
+use futures::{lock::Mutex, ready, Stream, StreamExt as _};
+use kube::{
+    api::{DynamicObject, GroupVersionKind},
+    runtime::{
+        reflector::{store::Writer, Lookup, Store},
+        watcher::{Event, Result},
+    },
+    Resource,
+};
+use pin_project::pin_project;
+use serde::de::DeserializeOwned;
+
+#[derive(Clone)]
+pub struct MultiDispatcher {
+    dispatch_tx: Sender<Event<DynamicObject>>,
+    // An inactive reader that prevents the channel from closing until the
+    // writer is dropped.
+    _dispatch_rx: InactiveReceiver<Event<DynamicObject>>,
+}
+
+impl MultiDispatcher {
+    #[must_use]
+    pub fn new(buf_size: usize) -> Self {
+        // Create a broadcast (tx, rx) pair
+        let (mut dispatch_tx, dispatch_rx) = async_broadcast::broadcast(buf_size);
+        // The tx half will not wait for any receivers to be active before
+        // broadcasting events. If no receivers are active, events will be
+        // buffered.
+        dispatch_tx.set_await_active(false);
+        Self {
+            dispatch_tx,
+            _dispatch_rx: dispatch_rx.deactivate(),
+        }
+    }
+
+    /// Return a handle to a typed subscriber
+    ///
+    /// Multiple subscribe handles may be obtained, by either calling
+    /// `subscribe` multiple times, or by calling `clone()`
+    ///
+    /// This function returns a `Some` when the [`Writer`] is constructed through
+    /// [`Writer::new_shared`] or [`store_shared`], and a `None` otherwise.
+    #[must_use]
+    pub fn subscribe<K>(&self) -> (TypedReflectHandle<K>, Store<K>)
+    where
+        K: Resource + Clone + DeserializeOwned,
+        K::DynamicType: Eq + Clone + Hash + Default,
+    {
+        let sub = TypedReflectHandle::new(self.dispatch_tx.new_receiver());
+        let reader = sub.reader();
+        (sub, reader)
+    }
+
+    /// Broadcast an event to any downstream listeners subscribed on the store
+    pub(crate) async fn broadcast_event(&mut self, event: &Event<DynamicObject>) {
+        match event {
+            // Broadcast stores are pre-initialized
+            Event::InitDone => {}
+            ev => {
+                let _ = self.dispatch_tx.broadcast_direct(ev.clone()).await;
+            }
+        }
+    }
+}
+
+/// `BroadcastStream` allows to stream shared list of dynamic objects,
+/// sources of which can be changed at any moment.
+pub struct BroadcastStream<W> {
+    pub stream: Arc<Mutex<W>>,
+}
+
+impl<W> Clone for BroadcastStream<W> {
+    fn clone(&self) -> Self {
+        Self {
+            stream: self.stream.clone(),
+        }
+    }
+}
+
+impl<W> BroadcastStream<W>
+where
+    W: Stream<Item = Result<Event<DynamicObject>>> + Unpin,
+{
+    pub fn new(stream: Arc<Mutex<W>>) -> Self {
+        Self { stream }
+    }
+}
+
+impl<W> Stream for BroadcastStream<W>
+where
+    W: Stream<Item = Result<Event<DynamicObject>>> + Unpin,
+{
+    type Item = W::Item;
+
+    fn poll_next(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Option<Self::Item>> {
+        if let Some(mut stream) = self.stream.try_lock() {
+            return stream.poll_next_unpin(cx);
+        }
+
+        Poll::Pending
+    }
+}
+
+/// A handle to a shared dynamic object stream
+///
+/// [`TypedReflectHandle`]s are created by calling [`subscribe()`] on a [`TypedDispatcher`],
+/// Each shared stream reader should be polled independently and driven to readiness
+/// to avoid deadlocks. When the [`TypedDispatcher`]'s buffer is filled, backpressure
+/// will be applied on the root stream side.
+///
+/// When the root stream is dropped, or it ends, all [`TypedReflectHandle`]s
+/// subscribed to the shared stream will also terminate after all events yielded by
+/// the root stream have been observed. This means [`TypedReflectHandle`] streams
+/// can still be polled after the root stream has been dropped.
+#[pin_project]
+pub struct TypedReflectHandle<K>
+where
+    K: Lookup + Clone + 'static,
+    K::DynamicType: Eq + std::hash::Hash + Clone,
+    K: DeserializeOwned,
+{
+    #[pin]
+    rx: Receiver<Event<DynamicObject>>,
+    store: Writer<K>,
+}
+
+impl<K> TypedReflectHandle<K>
+where
+    K: Lookup + Clone + 'static,
+    K::DynamicType: Eq + std::hash::Hash + Clone + Default,
+    K: DeserializeOwned,
+{
+    pub(super) fn new(rx: Receiver<Event<DynamicObject>>) -> TypedReflectHandle<K> {
+        Self {
+            rx,
+            // Initialize a ready store by default
+            store: {
+                let mut store: Writer<K> = Default::default();
+                store.apply_watcher_event(&Event::InitDone);
+                store
+            },
+        }
+    }
+
+    pub fn reader(&self) -> Store<K> {
+        self.store.as_reader()
+    }
+}
+
+pub fn gvk(obj: &DynamicObject) -> Option<GroupVersionKind> {
+    let gvk = obj.types.clone()?;
+    gvk.try_into().ok()
+}
+
+pub fn typed_gvk<K: Resource>(dt: K::DynamicType) -> GroupVersionKind {
+    GroupVersionKind::gvk(&K::group(&dt), &K::version(&dt), &K::kind(&dt))
+}
+
+impl<K> Stream for TypedReflectHandle<K>
+where
+    K: Resource + Clone + 'static,
+    K::DynamicType: Eq + std::hash::Hash + Clone + Default,
+    K: DeserializeOwned,
+{
+    type Item = Arc<K>;
+
+    fn poll_next(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Option<Self::Item>> {
+        let mut this = self.project();
+        loop {
+            return match ready!(this.rx.as_mut().poll_next(cx)) {
+                Some(event) => {
+                    let obj = match event {
+                        Event::InitApply(obj) | Event::Apply(obj)
+                            if gvk(&obj) == Some(typed_gvk::<K>(Default::default())) =>
+                        {
+                            obj.try_parse::<K>()
+                                .ok()
+                                .inspect(|o| {
+                                    this.store.apply_watcher_event(&Event::Apply(o.clone()));
+                                })
+                                .map(Arc::new)
+                        }
+                        Event::Delete(obj)
+                            if gvk(&obj) == Some(typed_gvk::<K>(Default::default())) =>
+                        {
+                            obj.try_parse::<K>()
+                                .ok()
+                                .inspect(|o| {
+                                    this.store.apply_watcher_event(&Event::Delete(o.clone()));
+                                })
+                                .map(Arc::new)
+                        }
+                        _ => None,
+                    };
+
+                    // Skip propagating all objects which do not belong to the cache
+                    if obj.is_none() {
+                        continue;
+                    }
+
+                    Poll::Ready(obj)
+                }
+                None => Poll::Ready(None),
+            };
+        }
+    }
+}
+
+pub fn broadcaster<W>(
+    mut writer: MultiDispatcher,
+    mut broadcast: BroadcastStream<W>,
+) -> impl Stream<Item = W::Item>
+where
+    W: Stream<Item = Result<Event<DynamicObject>>> + Unpin,
+{
+    stream! {
+        while let Some(event) = broadcast.next().await {
+            match event {
+                Ok(ev) => {
+                    writer.broadcast_event(&ev).await;
+                    yield Ok(ev);
+                },
+                Err(ev) => yield Err(ev)
+            }
+        }
+    }
+}
diff --git a/testdata/cluster_docker_rke2.yaml b/testdata/cluster_docker_rke2.yaml
index 0100d1b..db1a497 100644
--- a/testdata/cluster_docker_rke2.yaml
+++ b/testdata/cluster_docker_rke2.yaml
@@ -1,3 +1,121 @@
+apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
+kind: DockerCluster
+metadata:
+  name: docker-demo
+spec:
+  loadBalancer:
+    customHAProxyConfigTemplateRef:
+      name: docker-demo-lb-config
+---
+apiVersion: cluster.x-k8s.io/v1beta1
+kind: Cluster
+metadata:
+  name: docker-demo
+  labels:
+    cni: calico
+    import: ""
+spec:
+  clusterNetwork:
+    pods:
+      cidrBlocks:
+      - 10.1.0.0/16
+    services:
+      cidrBlocks:
+      - 10.10.0.0/16
+    serviceDomain: cluster.local
+  controlPlaneRef:
+    apiVersion: controlplane.cluster.x-k8s.io/v1beta1
+    kind: RKE2ControlPlane
+    name: docker-demo-control-plane
+  infrastructureRef:
+    apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
+    kind: DockerCluster
+    name: docker-demo
+---
+apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
+kind: DockerMachineTemplate
+metadata:
+  name:  docker-demo-control-plane
+spec:
+  template:
+    spec:
+      customImage: kindest/node:v1.31.0
+      bootstrapTimeout: 15m
+---
+apiVersion: controlplane.cluster.x-k8s.io/v1beta1
+kind: RKE2ControlPlane
+metadata:
+  name: docker-demo-control-plane
+spec:
+  replicas: 1
+  version: v1.31.0+rke2r1
+  rolloutStrategy:
+    rollingUpdate:
+      maxSurge: 1
+    type: RollingUpdate
+  serverConfig:
+    cloudProviderName: external
+    cni: none
+    kubeAPIServer:
+      extraArgs:
+      - --anonymous-auth=true
+    disableComponents:
+      pluginComponents:
+       - rke2-ingress-nginx
+      kubernetesComponents:
+      - cloudController
+  machineTemplate:
+    infrastructureRef:
+      apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
+      kind: DockerMachineTemplate
+      name:  docker-demo-control-plane
+    nodeDrainTimeout: 30s
+  infrastructureRef:
+    apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
+    kind: DockerMachineTemplate
+    name:  docker-demo-control-plane
+  nodeDrainTimeout: 30s
+---
+apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
+kind: DockerMachineTemplate
+metadata:
+  name: docker-demo-md-0
+spec:
+  template:
+    spec:
+      customImage: kindest/node:v1.31.0
+      bootstrapTimeout: 15m
+---
+apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
+kind: RKE2ConfigTemplate
+metadata:
+  name: docker-demo-md-0
+spec: {}
+---
+apiVersion: cluster.x-k8s.io/v1beta1
+kind: MachineDeployment
+metadata:
+  name: docker-demo-md-0
+spec:
+  clusterName: docker-demo
+  replicas: 1
+  selector:
+    matchLabels:
+      cluster.x-k8s.io/cluster-name: docker-demo
+  template:
+    spec:
+      version: v1.31.0+rke2r1
+      clusterName: docker-demo
+      bootstrap:
+        configRef:
+          apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
+          kind: RKE2ConfigTemplate
+          name: docker-demo-md-0
+      infrastructureRef:
+        apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
+        kind: DockerMachineTemplate
+        name: docker-demo-md-0
+---
 apiVersion: v1
 data:
   value: |-
@@ -25,10 +143,12 @@ data:
       default-server init-addr none
 
     frontend stats
+      mode http
       bind *:8404
       stats enable
-      stats uri /
-      stats refresh 10s
+      stats uri /stats
+      stats refresh 1s
+      stats admin if TRUE
 
     frontend control-plane
       bind *:{{ .FrontendControlPlanePort }}
@@ -39,10 +159,9 @@ data:
 
     backend kube-apiservers
       option httpchk GET /healthz
-      http-check expect status 401
-      # TODO: we should be verifying (!)
-      {{range $server, $address := .BackendServers}}
-      server {{ $server }} {{ JoinHostPort $address $.BackendControlPlanePort }} check check-ssl verify none resolvers docker resolve-prefer {{ if $.IPv6 -}} ipv6 {{- else -}} ipv4 {{- end }}
+
+      {{range $server, $backend := .BackendServers }}
+      server {{ $server }} {{ JoinHostPort $backend.Address $.BackendControlPlanePort }} check check-ssl verify none resolvers docker resolve-prefer {{ if $.IPv6 -}} ipv6 {{- else -}} ipv4 {{- end }}
       {{- end}}
 
     frontend rke2-join
@@ -55,120 +174,11 @@ data:
     backend rke2-servers
       option httpchk GET /v1-rke2/readyz
       http-check expect status 403
-      {{range $server, $address := .BackendServers}}
-      server {{ $server }} {{ $address }}:9345 check check-ssl verify none
+      {{range $server, $backend := .BackendServers }}
+      server {{ $server }} {{ $backend.Address }}:9345 check check-ssl verify none
       {{- end}}
 kind: ConfigMap
 metadata:
-  name: test-lb-config
-  namespace: default
----
-apiVersion: cluster.x-k8s.io/v1beta1
-kind: Cluster
-metadata:
-  name: test1
-  namespace: default
-spec:
-  clusterNetwork:
-    pods:
-      cidrBlocks:
-      - 10.45.0.0/16
-    serviceDomain: cluster.local
-    services:
-      cidrBlocks:
-      - 10.46.0.0/16
-  controlPlaneRef:
-    apiVersion: controlplane.cluster.x-k8s.io/v1alpha1
-    kind: RKE2ControlPlane
-    name: test1-control-plane
-  infrastructureRef:
-    apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
-    kind: DockerCluster
-    name: test1
----
-apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
-kind: DockerCluster
-metadata:
-  name: test1
-  namespace: default
-spec:
-  loadBalancer:
-    customHAProxyConfigTemplateRef:
-      name: test-lb-config
----
-apiVersion: controlplane.cluster.x-k8s.io/v1alpha1
-kind: RKE2ControlPlane
-metadata:
-  name: test1-control-plane
-  namespace: default
-spec:
-  agentConfig:
-    version: v1.31.0+rke2r1
-  # nodeAnnotations:
-  #   richtest: "true"
-  infrastructureRef:
-    apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
-    kind: DockerMachineTemplate
-    name: controlplane
-  nodeDrainTimeout: 2m
-  replicas: 1
-  serverConfig:
-    cni: calico
----
-apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
-kind: DockerMachineTemplate
-metadata:
-  name: controlplane
-  namespace: default
-spec:
-  template:
-    spec: {}
----
-apiVersion: cluster.x-k8s.io/v1beta1
-kind: MachineDeployment
-metadata:
-  name: worker-md-0
-  namespace: default
-spec:
-  clusterName: test1
-  replicas: 1
-  selector:
-    matchLabels:
-      cluster.x-k8s.io/cluster-name: test1
-  template:
-    spec:
-      bootstrap:
-        configRef:
-          apiVersion: bootstrap.cluster.x-k8s.io/v1alpha1
-          kind: RKE2ConfigTemplate
-          name: test1-agent
-      clusterName: test1
-      infrastructureRef:
-        apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
-        kind: DockerMachineTemplate
-        name: worker
-      version: v1.31.0
----
-apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
-kind: DockerMachineTemplate
-metadata:
-  name: worker
-  namespace: default
-spec:
-  template:
-    spec: {}
----
-apiVersion: bootstrap.cluster.x-k8s.io/v1alpha1
-kind: RKE2ConfigTemplate
-metadata:
-  name: test1-agent
-  namespace: default
-spec:
-  template:
-    spec:
-      agentConfig:
-        version: v1.31.0+rke2r1
-      #nodeAnnotations:
-      #  richtest: "true"
-      # postRKE2Commands:
-      # - kubectl --kubeconfig /var/lib/rancher/rke2/agent/kubelet.kubeconfig annotate node $(hostname) richtest=true
+  name: docker-demo-lb-config
+  annotations:
+    "helm.sh/resource-policy": keep
diff --git a/testdata/config.yaml b/testdata/config.yaml
index 09b3cda..5ff4aa8 100644
--- a/testdata/config.yaml
+++ b/testdata/config.yaml
@@ -21,5 +21,5 @@ spec:
       matchLabels:
         import: ""
   install:
-    version: v0.12.0-alpha.14 # We will install alpha for helmapp support
+    version: v0.12.0-beta.1 # We will install alpha for helmapp support
 
diff --git a/testdata/gitrepo-calico.yaml b/testdata/gitrepo-calico.yaml
new file mode 100644
index 0000000..4376504
--- /dev/null
+++ b/testdata/gitrepo-calico.yaml
@@ -0,0 +1,13 @@
+apiVersion: fleet.cattle.io/v1alpha1
+kind: GitRepo
+metadata:
+  name: calico
+spec:
+  branch: main
+  paths:
+  - /fleet/applications/calico
+  repo: https://github.com/rancher-sandbox/cluster-api-addon-provider-fleet.git
+  targets:
+  - clusterSelector:
+      matchLabels:
+        cni: calico
diff --git a/testdata/helm.yaml b/testdata/helm.yaml
index cb43b49..91672f6 100644
--- a/testdata/helm.yaml
+++ b/testdata/helm.yaml
@@ -25,4 +25,4 @@ spec:
   insecureSkipTLSVerify: true
   targets:
   - clusterName: docker-demo
-  - clusterGroup: quick-start
+  - clusterGroup: quick-start.clusterclass