diff --git a/.github/scripts/configure-backend.sh b/.github/scripts/configure-backend.sh
index 0ddd61e3..d683ea85 100755
--- a/.github/scripts/configure-backend.sh
+++ b/.github/scripts/configure-backend.sh
@@ -15,6 +15,7 @@ usage() {
     echo "  -c, --component       Component: base-infra, infra, observ-infra (required)"
     echo "  -b, --branch          Branch name for state key (required for remote)"
     echo "  -r, --remote-config   Remote backend config string (required for remote)"
+    echo "  --profile             Infrastructure profile (e.g., mosip, esignet) - included in state key"
     echo "  --enable-locking      Enable state locking (optional, for production)"
     echo "  -h, --help            Show this help message"
     echo ""
@@ -44,6 +45,7 @@ CLOUD_PROVIDER=""
 COMPONENT=""
 BRANCH_NAME=""
 REMOTE_CONFIG=""
+PROFILE=""
 ENABLE_LOCKING=false
 
 # Parse command line arguments
@@ -73,6 +75,14 @@ while [[ $# -gt 0 ]]; do
             ENABLE_LOCKING=true
             shift
             ;;
+        --profile)
+            if [[ -z "$2" || "$2" == -* ]]; then
+                echo "Error: --profile requires a non-empty argument that is not an option flag."
+                exit 1
+            fi
+            PROFILE="$2"
+            shift 2
+            ;;
         -h|--help)
             usage
             exit 0
@@ -129,6 +139,7 @@ echo "=== MOSIP Terraform Backend Configuration ==="
 echo "Backend type: $BACKEND_TYPE"
 echo "Cloud provider: $CLOUD_PROVIDER"
 echo "Component: $COMPONENT"
+echo "Profile: ${PROFILE:-none}"
 echo "Branch: $BRANCH_NAME"
 echo "============================================="
 
@@ -137,11 +148,17 @@ create_local_backend() {
     local provider="$1"
     local component="$2"
     local branch="$3"
+    local profile="$4"
     
     # Include branch name for consistency and to avoid conflicts
     # Use 'local' as default branch name if not provided
     local branch_suffix="${branch:-local}"
-    local state_file="${provider}-${component}-${branch_suffix}-terraform.tfstate"
+    local state_file
+    if [ -n "$profile" ]; then
+        state_file="${provider}-${component}-${profile}-${branch_suffix}-terraform.tfstate"
+    else
+        state_file="${provider}-${component}-${branch_suffix}-terraform.tfstate"
+    fi
     
     echo "Configuring local backend..."
     echo "State file will be: $state_file"
@@ -184,7 +201,12 @@ create_aws_backend() {
         region="$DYNAMIC_REGION"
     fi
     
-    local state_key="${CLOUD_PROVIDER}-${component}-${branch}-terraform.tfstate"
+    local state_key
+    if [ -n "$PROFILE" ]; then
+        state_key="${CLOUD_PROVIDER}-${component}-${PROFILE}-${branch}-terraform.tfstate"
+    else
+        state_key="${CLOUD_PROVIDER}-${component}-${branch}-terraform.tfstate"
+    fi
     
     echo "Configuring AWS S3 backend..."
     echo "Base bucket name: $bucket_base_name"
@@ -251,7 +273,12 @@ create_azure_backend() {
     fi
     
     # Include branch name in state key to avoid conflicts
-    local state_key="${CLOUD_PROVIDER}-${component}-${branch}-terraform.tfstate"
+    local state_key
+    if [ -n "$PROFILE" ]; then
+        state_key="${CLOUD_PROVIDER}-${component}-${PROFILE}-${branch}-terraform.tfstate"
+    else
+        state_key="${CLOUD_PROVIDER}-${component}-${branch}-terraform.tfstate"
+    fi
     
     echo "Configuring Azure Storage backend..."
     echo "Resource Group: $resource_group"
@@ -294,7 +321,12 @@ create_gcp_backend() {
     fi
     
     # Include branch name in prefix to avoid conflicts
-    local state_prefix="terraform/${CLOUD_PROVIDER}-${component}-${branch}"
+    local state_prefix
+    if [ -n "$PROFILE" ]; then
+        state_prefix="terraform/${CLOUD_PROVIDER}-${component}-${PROFILE}-${branch}"
+    else
+        state_prefix="terraform/${CLOUD_PROVIDER}-${component}-${branch}"
+    fi
     
     echo "Configuring GCS backend..."
     echo "Bucket: $bucket_name"
@@ -323,7 +355,7 @@ EOF
 # Main execution
 main() {
     if [ "$BACKEND_TYPE" = "local" ]; then
-        create_local_backend "$CLOUD_PROVIDER" "$COMPONENT" "$BRANCH_NAME"
+        create_local_backend "$CLOUD_PROVIDER" "$COMPONENT" "$BRANCH_NAME" "$PROFILE"
         
     elif [ "$BACKEND_TYPE" = "remote" ]; then
         # Parse remote configuration
diff --git a/.github/workflows/helmsman_esignet.yml b/.github/workflows/helmsman_esignet.yml
index 81c4b878..250b6ae0 100644
--- a/.github/workflows/helmsman_esignet.yml
+++ b/.github/workflows/helmsman_esignet.yml
@@ -3,6 +3,15 @@ name: Deploy eSignet using Helmsman
 on:
   workflow_dispatch:
     inputs:
+      profile:
+        description: "Deployment profile to use"
+        required: true
+        default: "mosip-platform-java11"
+        type: choice
+        options:
+          - mosip-platform-java11
+          - mosip-platform-java21
+          - esignet
       mode:
         description: "Choose Helmsman mode: dry-run or apply"
         required: true
@@ -23,7 +32,7 @@ on:
         type: boolean
   push:
     paths:
-      - Helmsman/dsf/esignet-dsf.yaml
+      - Helmsman/dsf/**/esignet-dsf.yaml
 
 jobs:
   deploy:
@@ -92,7 +101,31 @@ jobs:
             echo "HELMSMAN_MODE=apply" >> $GITHUB_ENV
           else
             echo "HELMSMAN_MODE=${{ github.event.inputs.mode }}" >> $GITHUB_ENV
-          fi        
+          fi
+
+      - name: Set Profile
+        run: |
+          # Determine profile: from workflow input or detect from changed files on push
+          if [ -n "${{ github.event.inputs.profile }}" ]; then
+            PROFILE="${{ github.event.inputs.profile }}"
+          else
+            # Auto-detect profile from push trigger — extract profile dir name from changed files
+            # Fall back to HEAD~1 if github.event.before is unreachable (e.g. shallow clone)
+            BEFORE="${{ github.event.before }}"
+            SHA="${{ github.sha }}"
+            if [[ -z "$BEFORE" || "$BEFORE" == "0000000000000000000000000000000000000000" ]]; then
+              BEFORE="HEAD~1"
+            fi
+            CHANGED_FILES=$(git diff --name-only "$BEFORE" "$SHA" -- 'Helmsman/dsf/' 2>/dev/null || \
+                            git diff --name-only HEAD~1 HEAD -- 'Helmsman/dsf/' 2>/dev/null || echo "")
+            PROFILE=$(echo "$CHANGED_FILES" | grep 'esignet-dsf.yaml' | head -1 | sed 's|Helmsman/dsf/\([^/]*\)/.*|\1|')
+            if [[ -z "$PROFILE" ]]; then
+              echo "Error: could not detect profile from changed DSF files."
+              exit 1
+            fi
+          fi
+          echo "PROFILE=$PROFILE" >> "$GITHUB_ENV"
+          echo "Using profile: $PROFILE"
 
       - name: Setup ufw firewall
         run: |
@@ -151,7 +184,7 @@ jobs:
           kubectl cluster-info
 
       - name: Check if mosip-dsf label is completed
-        if: ${{ github.event.inputs.skip_mosip_dsf_check != 'true' && vars.ESIGNET_STANDALONE_MODE != 'true' }}
+        if: ${{ github.event.inputs.skip_mosip_dsf_check != 'true' && vars.ESIGNET_STANDALONE_MODE != 'true' && github.event.inputs.profile != 'esignet' }}
         run: |
           STATUS=$(kubectl get namespace default -o jsonpath='{.metadata.labels.mosip-dsf}' 2>/dev/null || echo "")
           if [[ "$STATUS" != "completed" ]]; then
@@ -329,7 +362,8 @@ jobs:
           
           # Run helmsman with the determined mode
           # --keep-untracked-releases prevents deletion of releases managed by other DSF files (e.g., postgres-init from external-dsf)
-          helmsman --${HELMSMAN_MODE} --keep-untracked-releases -f $WORKDIR/dsf/esignet-dsf.yaml
+          echo "Using DSF: $WORKDIR/dsf/$PROFILE/esignet-dsf.yaml"
+          helmsman --${HELMSMAN_MODE} --keep-untracked-releases -f $WORKDIR/dsf/$PROFILE/esignet-dsf.yaml
 
       - name: Label namespace on successful deployment
         if: success() && env.HELMSMAN_MODE == 'apply'
@@ -343,6 +377,7 @@ jobs:
           echo "=================================="
           echo "eSignet Deployment Summary"
           echo "=================================="
+          echo "Profile: $PROFILE"
           echo "Mode: $HELMSMAN_MODE"
           echo "Branch: ${{ github.ref_name }}"
           echo "Commit: ${{ github.sha }}"
diff --git a/.github/workflows/helmsman_external.yml b/.github/workflows/helmsman_external.yml
index 7f2f0a8f..0e40a69b 100644
--- a/.github/workflows/helmsman_external.yml
+++ b/.github/workflows/helmsman_external.yml
@@ -3,6 +3,15 @@ name: Deploy External services of mosip using Helmsman
 on:
   workflow_dispatch:
     inputs:
+      profile:
+        description: "Deployment profile to use"
+        required: true
+        default: "mosip-platform-java11"
+        type: choice
+        options:
+          - mosip-platform-java11
+          - mosip-platform-java21
+          - esignet
       mode:
         description: "Choose Helmsman mode: dry-run or apply"
         required: true
@@ -10,11 +19,11 @@ on:
         type: choice
         options:
           - dry-run
-          - apply   
+          - apply
   push:
     paths:
-      - Helmsman/dsf/prereq-dsf.yaml
-      - Helmsman/dsf/external-dsf.yaml
+      - Helmsman/dsf/**/prereq-dsf.yaml
+      - Helmsman/dsf/**/external-dsf.yaml
 
 permissions:
   actions: write
@@ -24,6 +33,7 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       matrix: ${{ steps.set-matrix.outputs.matrix }}
+      profile: ${{ steps.set-matrix.outputs.PROFILE }}
     steps:
       - name: Checkout repository with full history
         uses: actions/checkout@v4
@@ -35,39 +45,53 @@ jobs:
         run: |
           matrix_json='{"include":[]}'
           if [[ "$GITHUB_EVENT_NAME" == "workflow_dispatch" ]]; then
-            matrix_json='{"include":[{"dsf_files":"prereq-dsf.yaml","wg_conf":"wg0"},{"dsf_files":"external-dsf.yaml","wg_conf":"wg1"}]}'
+            PROFILE="${{ github.event.inputs.profile }}"
+            matrix_json="{\"include\":[{\"dsf_files\":\"${PROFILE}/prereq-dsf.yaml\",\"wg_conf\":\"wg0\"},{\"dsf_files\":\"${PROFILE}/external-dsf.yaml\",\"wg_conf\":\"wg1\"}]}"
           else
             # Handle different event types properly
             if [[ "$GITHUB_EVENT_NAME" == "push" ]]; then
-              # For push events, use GitHub's provided SHAs
-              base_sha="${{ github.event.before}}"
+              base_sha="${{ github.event.before }}"
               head_sha="${{ github.sha }}"
             elif [[ "$GITHUB_EVENT_NAME" == "pull_request" ]]; then
-              # For PRs, compare against target branch
               base_sha="${{ github.event.pull_request.base.sha }}"
               head_sha="${{ github.event.pull_request.head.sha }}"
             fi
 
-            # Get changed files safely
-            changed_files=$(git diff --name-only "$base_sha" "$head_sha" -- 'Helmsman/dsf/' || echo "")
-            
+            # Get changed files safely; fall back to HEAD~1 if base_sha is unreachable
+            changed_files=$(git diff --name-only "$base_sha" "$head_sha" -- 'Helmsman/dsf/' 2>/dev/null || \
+                            git diff --name-only HEAD~1 HEAD -- 'Helmsman/dsf/' 2>/dev/null || echo "")
+
             entries=()
-            
-            # Check for exact file paths
-            if echo "$changed_files" | grep -qx 'Helmsman/dsf/prereq-dsf.yaml'; then
-              entries+=('{"dsf_files":"prereq-dsf.yaml","wg_conf":"wg0"}')
-            fi
-      
-            if echo "$changed_files" | grep -qx 'Helmsman/dsf/external-dsf.yaml'; then
-              entries+=('{"dsf_files":"external-dsf.yaml","wg_conf":"wg1"}')
+
+            # Dynamically detect changed profiles from file paths
+            changed_profiles=$(echo "$changed_files" | grep 'Helmsman/dsf/' | sed 's|Helmsman/dsf/\([^/]*\)/.*|\1|' | sort -u)
+
+            # Derive PROFILE from the changed files (all detected profile dirs, newline-separated)
+            # For workflow-caller, we only care about mosip-platform-* profiles
+            PROFILE=$(echo "$changed_profiles" | grep '^mosip-platform-' | head -1)
+            if [[ -z "$PROFILE" ]]; then
+              # No MOSIP profile detected - this is fine for esignet-only changes
+              PROFILE=""
             fi
-            
+
+            for profile_dir in $changed_profiles; do
+              if echo "$changed_files" | grep -q "Helmsman/dsf/${profile_dir}/prereq-dsf.yaml"; then
+                entries+=("{\"dsf_files\":\"${profile_dir}/prereq-dsf.yaml\",\"wg_conf\":\"wg0\"}")
+              fi
+
+              if echo "$changed_files" | grep -q "Helmsman/dsf/${profile_dir}/external-dsf.yaml"; then
+                entries+=("{\"dsf_files\":\"${profile_dir}/external-dsf.yaml\",\"wg_conf\":\"wg1\"}")
+              fi
+            done
+
             if [ ${#entries[@]} -gt 0 ]; then
               matrix_json="{\"include\":[$(IFS=,; echo "${entries[*]}")]}"
             fi
           fi
 
+          echo "Using profile: $PROFILE"
           echo "matrix=$matrix_json" >> $GITHUB_OUTPUT
+          echo "PROFILE=$PROFILE" >> $GITHUB_OUTPUT
   deploy:
     runs-on: ubuntu-latest
     needs: set-matrix
@@ -240,18 +264,20 @@ jobs:
 
   workflow-caller:
     runs-on: ubuntu-latest
-    needs: deploy
-    if: ${{ github.event_name == 'workflow_dispatch' }}
+    needs: [deploy, set-matrix]
+    # Only trigger MOSIP workflow for mosip-platform profiles, not for standalone esignet
+    if: ${{ startsWith(needs.set-matrix.outputs.profile, 'mosip-platform-') }}
     steps:
       - name: Trigger helmsman mosip workflow via API
         env:
           GITHUB_REPO: ${{ github.repository }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           BRANCH: ${{ github.ref_name }}
+          MODE: ${{ github.event.inputs.mode }}
         run: |
           curl -X POST \
             -H "Accept: application/vnd.github+json" \
             -H "Authorization: Bearer $GITHUB_TOKEN" \
             -H "X-GitHub-Api-Version: 2022-11-28" \
             https://api.github.com/repos/$GITHUB_REPO/actions/workflows/helmsman_mosip.yml/dispatches \
-            -d '{"ref":"'"$BRANCH"'","inputs":{"mode":"apply"}}'
\ No newline at end of file
+            -d '{"ref":"'"$BRANCH"'","inputs":{"mode":"'"${MODE:-apply}"'","profile":"'"${{ needs.set-matrix.outputs.profile }}"'"}}'
\ No newline at end of file
diff --git a/.github/workflows/helmsman_mosip.yml b/.github/workflows/helmsman_mosip.yml
index 242f0aef..6eb4484b 100644
--- a/.github/workflows/helmsman_mosip.yml
+++ b/.github/workflows/helmsman_mosip.yml
@@ -3,6 +3,14 @@ name: Deploy Mosip services of mosip using Helmsman
 on:
   workflow_dispatch:
     inputs:
+      profile:
+        description: "Choose MOSIP platform profile"
+        required: true
+        default: "mosip-platform-java11"
+        type: choice
+        options:
+          - mosip-platform-java11
+          - mosip-platform-java21
       mode:
         description: "Choose Helmsman mode: dry-run or apply"
         required: true
@@ -13,7 +21,7 @@ on:
           - apply
   push:
     paths:
-      - Helmsman/dsf/mosip-dsf.yaml
+      - Helmsman/dsf/**/mosip-dsf.yaml
 
 jobs:
   deploy:
@@ -63,6 +71,29 @@ jobs:
             echo "HELMSMAN_MODE=${{ github.event.inputs.mode }}" >> $GITHUB_ENV
           fi        
 
+      - name: Set Profile
+        run: |
+          if [ -n "${{ github.event.inputs.profile }}" ]; then
+            PROFILE="${{ github.event.inputs.profile }}"
+          else
+            # Auto-detect profile from push trigger — extract profile dir name from changed files
+            # Fall back to HEAD~1 if github.event.before is unreachable (e.g. shallow clone)
+            BEFORE="${{ github.event.before }}"
+            SHA="${{ github.sha }}"
+            if [[ -z "$BEFORE" || "$BEFORE" == "0000000000000000000000000000000000000000" ]]; then
+              BEFORE="HEAD~1"
+            fi
+            CHANGED_FILES=$(git diff --name-only "$BEFORE" "$SHA" -- 'Helmsman/dsf/' 2>/dev/null || \
+                            git diff --name-only HEAD~1 HEAD -- 'Helmsman/dsf/' 2>/dev/null || echo "")
+            PROFILE=$(echo "$CHANGED_FILES" | grep 'mosip-dsf\.yaml' | head -1 | sed 's|Helmsman/dsf/\([^/]*\)/.*|\1|')
+            if [[ -z "$PROFILE" ]]; then
+              echo "Error: could not detect profile from changed DSF files."
+              exit 1
+            fi
+          fi
+          echo "PROFILE=$PROFILE" >> "$GITHUB_ENV"
+          echo "Using profile: $PROFILE"
+
       - name: Setup ufw firewall
         run: |
           sudo ufw enable
@@ -134,8 +165,9 @@ jobs:
           echo "Using kubectl: $(which kubectl)"
           echo "Using kubeconfig: $KUBECONFIG"
           
-          # Run helmsman with the determined mode
-          helmsman --${HELMSMAN_MODE} -f $WORKDIR/dsf/mosip-dsf.yaml
+          # Run helmsman with the determined mode and profile
+          echo "Using profile: $PROFILE"
+          helmsman --${HELMSMAN_MODE} -f $WORKDIR/dsf/${PROFILE}/mosip-dsf.yaml
 
       - name: Health Check MOSIP Pods
         run: |
diff --git a/.github/workflows/helmsman_testrigs.yml b/.github/workflows/helmsman_testrigs.yml
index 0dac8595..3d1d87fa 100644
--- a/.github/workflows/helmsman_testrigs.yml
+++ b/.github/workflows/helmsman_testrigs.yml
@@ -3,6 +3,14 @@ name: Deploy Testrigs of mosip using Helmsman
 on:
   workflow_dispatch:
     inputs:
+      profile:
+        description: "Choose MOSIP platform profile"
+        required: true
+        default: "mosip-platform-java11"
+        type: choice
+        options:
+          - mosip-platform-java11
+          - mosip-platform-java21
       mode:
         description: "Choose Helmsman mode: dry-run or apply"
         required: true
@@ -13,7 +21,7 @@ on:
           - apply
   push:
     paths:
-      - Helmsman/dsf/testrigs-dsf.yaml
+      - Helmsman/dsf/**/testrigs-dsf.yaml
 
 jobs:
   deploy:
@@ -63,6 +71,29 @@ jobs:
             echo "HELMSMAN_MODE=${{ github.event.inputs.mode }}" >> $GITHUB_ENV
           fi        
 
+      - name: Set Profile
+        run: |
+          if [ -n "${{ github.event.inputs.profile }}" ]; then
+            PROFILE="${{ github.event.inputs.profile }}"
+          else
+            # Auto-detect profile from push trigger — extract profile dir name from changed files
+            # Fall back to HEAD~1 if github.event.before is unreachable (e.g. shallow clone)
+            BEFORE="${{ github.event.before }}"
+            SHA="${{ github.sha }}"
+            if [[ -z "$BEFORE" || "$BEFORE" == "0000000000000000000000000000000000000000" ]]; then
+              BEFORE="HEAD~1"
+            fi
+            CHANGED_FILES=$(git diff --name-only "$BEFORE" "$SHA" -- 'Helmsman/dsf/' 2>/dev/null || \
+                            git diff --name-only HEAD~1 HEAD -- 'Helmsman/dsf/' 2>/dev/null || echo "")
+            PROFILE=$(echo "$CHANGED_FILES" | grep 'testrigs-dsf\.yaml' | head -1 | sed 's|Helmsman/dsf/\([^/]*\)/.*|\1|')
+            if [[ -z "$PROFILE" ]]; then
+              echo "Error: could not detect profile from changed DSF files."
+              exit 1
+            fi
+          fi
+          echo "PROFILE=$PROFILE" >> "$GITHUB_ENV"
+          echo "Using profile: $PROFILE"
+
       - name: Setup ufw firewall
         run: |
           sudo ufw enable
@@ -134,5 +165,6 @@ jobs:
           echo "Using kubectl: $(which kubectl)"
           echo "Using kubeconfig: $KUBECONFIG"
           
-          # Run helmsman with the determined mode
-          helmsman --${HELMSMAN_MODE} -f $WORKDIR/dsf/testrigs-dsf.yaml
\ No newline at end of file
+          # Run helmsman with the determined mode and profile
+          echo "Using profile: $PROFILE"
+          helmsman --${HELMSMAN_MODE} -f $WORKDIR/dsf/${PROFILE}/testrigs-dsf.yaml
\ No newline at end of file
diff --git a/.github/workflows/terraform-destroy.yml b/.github/workflows/terraform-destroy.yml
index a4278f3b..3bc43842 100644
--- a/.github/workflows/terraform-destroy.yml
+++ b/.github/workflows/terraform-destroy.yml
@@ -18,7 +18,7 @@ name: terraform destroy
 
 # Prevent concurrent destroy runs for same component
 concurrency:
-  group: terraform-destroy-${{ github.event.inputs.CLOUD_PROVIDER }}-${{ github.event.inputs.TERRAFORM_COMPONENT }}-${{ github.ref_name }}
+  group: terraform-destroy-${{ github.event.inputs.CLOUD_PROVIDER }}-${{ github.event.inputs.TERRAFORM_COMPONENT }}-${{ github.event.inputs.INFRA_PROFILE }}-${{ github.ref_name }}
   cancel-in-progress: false
 
 on:
@@ -41,6 +41,14 @@ on:
           - base-infra
           - observ-infra
         default: infra
+      INFRA_PROFILE:
+        description: 'Infrastructure profile (only for infra component — ignored for base-infra/observ-infra)'
+        required: false
+        type: choice
+        options:
+          - mosip
+          - esignet
+        default: mosip
       BACKEND_TYPE:
         description: 'Choose Terraform backend type (must match the one used during creation)'
         required: true
@@ -105,11 +113,17 @@ jobs:
             exit 1
           fi
           
-          # Check if tfvars file exists
-          if [ ! -f "${{ inputs.CLOUD_PROVIDER }}.tfvars" ]; then
-            echo "Configuration file '${{ inputs.CLOUD_PROVIDER }}.tfvars' not found in current directory."
+          # Check if tfvars file exists (profile-aware for infra component)
+          TFVARS_FILE="${{ inputs.CLOUD_PROVIDER }}.tfvars"
+          if [ "${{ inputs.TERRAFORM_COMPONENT }}" = "infra" ] && [ -n "${{ inputs.INFRA_PROFILE }}" ]; then
+            TFVARS_FILE="profiles/${{ inputs.INFRA_PROFILE }}/${{ inputs.CLOUD_PROVIDER }}.tfvars"
+          fi
+          if [ ! -f "$TFVARS_FILE" ]; then
+            echo "Configuration file '$TFVARS_FILE' not found in current directory."
             exit 1
           fi
+          echo "TFVARS_FILE=$TFVARS_FILE" >> $GITHUB_ENV
+          echo "Using tfvars: $TFVARS_FILE"
 
       - name: Check Cloud Storage for Remote State (All Providers)
         run: |
@@ -169,13 +183,18 @@ jobs:
       - name: Configure Terraform Backend for State Management
         run: |
           # Use backend configuration script for cleaner code
+          PROFILE_ARG=""
+          if [ "${{ inputs.TERRAFORM_COMPONENT }}" = "infra" ] && [ -n "${{ inputs.INFRA_PROFILE }}" ]; then
+            PROFILE_ARG="--profile ${{ inputs.INFRA_PROFILE }}"
+          fi
           ../../../../.github/scripts/configure-backend.sh \
             --type "${{ inputs.BACKEND_TYPE }}" \
             --provider "${{ inputs.CLOUD_PROVIDER }}" \
             --component "${{ inputs.TERRAFORM_COMPONENT }}" \
             --branch "${{ github.ref_name }}" \
             --remote-config "${{ inputs.REMOTE_BACKEND_CONFIG }}" \
-            ${{ inputs.ENABLE_STATE_LOCKING == true && '--enable-locking' || '' }}
+            ${{ inputs.ENABLE_STATE_LOCKING == true && '--enable-locking' || '' }} \
+            $PROFILE_ARG
 
       - name: Skip SSH Host key verification
         run: |
@@ -348,20 +367,20 @@ jobs:
           fi
 
       - name: Terraform refresh
-        run: terraform refresh -input=false -var-file="${{ inputs.CLOUD_PROVIDER }}.tfvars" -no-color
+        run: terraform refresh -input=false -var-file="$TFVARS_FILE" -no-color
         if: "${{ inputs.TERRAFORM_DESTROY  == true }}"
 
       - name: Terraform Destroy Plan
         id: destroy-plan
         run: |
           echo "Showing what will be destroyed..."
-          terraform plan -destroy -input=false -var-file="${{ inputs.CLOUD_PROVIDER }}.tfvars" -no-color
+          terraform plan -destroy -input=false -var-file="$TFVARS_FILE" -no-color
         if: "${{ inputs.TERRAFORM_DESTROY  == true }}"
         continue-on-error: true
 
       - name: Terraform Destroy
         id: destroy
-        run: terraform destroy -input=false -var-file="${{ inputs.CLOUD_PROVIDER }}.tfvars" -no-color -auto-approve
+        run: terraform destroy -input=false -var-file="$TFVARS_FILE" -no-color -auto-approve
         if: "${{ inputs.TERRAFORM_DESTROY  == true }}"
         continue-on-error: true
 
diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
index 9813bb54..d1f7d980 100644
--- a/.github/workflows/terraform.yml
+++ b/.github/workflows/terraform.yml
@@ -18,7 +18,7 @@ name: terraform plan / apply
 
 # Prevent concurrent runs for same component to avoid state conflicts
 concurrency:
-  group: terraform-${{ github.event.inputs.CLOUD_PROVIDER }}-${{ github.event.inputs.TERRAFORM_COMPONENT }}-${{ github.ref_name }}
+  group: terraform-${{ github.event.inputs.CLOUD_PROVIDER }}-${{ github.event.inputs.TERRAFORM_COMPONENT }}-${{ github.event.inputs.INFRA_PROFILE }}-${{ github.ref_name }}
   cancel-in-progress: false
 
 on:
@@ -41,6 +41,14 @@ on:
           - infra
           - observ-infra
         default: infra
+      INFRA_PROFILE:
+        description: 'Infrastructure profile (only for infra component — ignored for base-infra/observ-infra)'
+        required: false
+        type: choice
+        options:
+          - mosip
+          - esignet
+        default: mosip
       BACKEND_TYPE:
         description: 'Choose Terraform backend type'
         required: true
@@ -106,11 +114,17 @@ jobs:
             exit 1
           fi
           
-          # Check if tfvars file exists
-          if [ ! -f "${{ inputs.CLOUD_PROVIDER }}.tfvars" ]; then
-            echo "Configuration file '${{ inputs.CLOUD_PROVIDER }}.tfvars' not found in current directory."
+          # Check if tfvars file exists (profile-aware for infra component)
+          TFVARS_FILE="${{ inputs.CLOUD_PROVIDER }}.tfvars"
+          if [ "${{ inputs.TERRAFORM_COMPONENT }}" = "infra" ] && [ -n "${{ inputs.INFRA_PROFILE }}" ]; then
+            TFVARS_FILE="profiles/${{ inputs.INFRA_PROFILE }}/${{ inputs.CLOUD_PROVIDER }}.tfvars"
+          fi
+          if [ ! -f "$TFVARS_FILE" ]; then
+            echo "Configuration file '$TFVARS_FILE' not found in current directory."
             exit 1
           fi
+          echo "TFVARS_FILE=$TFVARS_FILE" >> $GITHUB_ENV
+          echo "Using tfvars: $TFVARS_FILE"
 
       - name: Setup Cloud Storage for Remote State (All Providers)
         run: |
@@ -131,13 +145,18 @@ jobs:
       - name: Configure Terraform Backend for State Management
         run: |
           # Use backend configuration script for cleaner code
+          PROFILE_ARG=""
+          if [ "${{ inputs.TERRAFORM_COMPONENT }}" = "infra" ] && [ -n "${{ inputs.INFRA_PROFILE }}" ]; then
+            PROFILE_ARG="--profile ${{ inputs.INFRA_PROFILE }}"
+          fi
           ../../../../.github/scripts/configure-backend.sh \
             --type "${{ inputs.BACKEND_TYPE }}" \
             --provider "${{ inputs.CLOUD_PROVIDER }}" \
             --component "${{ inputs.TERRAFORM_COMPONENT }}" \
             --branch "${{ github.ref_name }}" \
             --remote-config "${{ inputs.REMOTE_BACKEND_CONFIG }}" \
-            ${{ inputs.ENABLE_STATE_LOCKING == true && '--enable-locking' || '' }}
+            ${{ inputs.ENABLE_STATE_LOCKING == true && '--enable-locking' || '' }} \
+            $PROFILE_ARG
 
       - name: Skip SSH Host key verification
         run: |
@@ -330,12 +349,12 @@ jobs:
       - name: Terraform Plan
         id: plan
         run: |
-          terraform plan -input=false -var-file="${{ inputs.CLOUD_PROVIDER }}.tfvars" -out ./tf-plan -no-color
+          terraform plan -input=false -var-file="$TFVARS_FILE" -out ./tf-plan -no-color
         continue-on-error: true
 
       - name: Terraform Apply
         id: apply
-        run: terraform apply -input=false -var-file="${{ inputs.CLOUD_PROVIDER }}.tfvars" -no-color -auto-approve
+        run: terraform apply -input=false -var-file="$TFVARS_FILE" -no-color -auto-approve
         if: "${{ inputs.TERRAFORM_APPLY  == true }}"
         continue-on-error: true
 
diff --git a/Helmsman/dsf/esignet/esignet-dsf.yaml b/Helmsman/dsf/esignet/esignet-dsf.yaml
new file mode 100644
index 00000000..8e26fc8c
--- /dev/null
+++ b/Helmsman/dsf/esignet/esignet-dsf.yaml
@@ -0,0 +1,222 @@
+# =============================================================================
+# eSignet Profile - eSignet Services DSF (Desired State File)
+# =============================================================================
+# This DSF deploys eSignet v1.7.1 services for the standalone eSignet profile.
+#
+# Components (in priority order):
+#   1. Keycloak Init (eSignet-specific clients and roles)
+#   2. eSignet service v1.7.1
+#   3. OIDC UI v1.7.1
+#   4. Mock Identity System (optional, disabled by default)
+#   5. Mock Relying Party Service (optional)
+#   6. Mock Relying Party UI (optional)
+#   7. Partner Onboarder (eSignet + Resident OIDC)
+#   8. Demo OIDC Partner Onboarder
+#
+# Based on eSignet v1.7.1 deploy scripts:
+#   - install-esignet.sh
+#   - initialise-prereq.sh (keycloak-init)
+# =============================================================================
+
+helmDefaults:
+  tillerNamespace: kube-system
+  tillerless: true
+  install: true
+
+helmRepos:
+  bitnami: https://charts.bitnami.com/bitnami
+  mosip: https://mosip.github.io/mosip-helm
+
+namespaces:
+  esignet:
+    protected: false
+
+apps:
+  # ---------------------------------------------------------------------------
+  # eSignet v1.7.1
+  # ---------------------------------------------------------------------------
+  esignet:
+    namespace: esignet
+    enabled: true
+    version: 1.7.1
+    chart: mosip/esignet
+    set:
+      image.repository: "mosipid/esignet"
+      image.tag: "1.7.1"
+      enable_insecure: "false"
+      extraEnvVarsCM[0]: "esignet-global"
+      extraEnvVarsCM[1]: "esignet-softhsm-share"
+    wait: true
+    timeout: 600
+    priority: -12
+    hooks:
+      preInstall: "$WORKDIR/hooks/esignet-1.7.1/esignet-preinstall.sh"
+
+  # ---------------------------------------------------------------------------
+  # OIDC UI v1.7.1
+  # ---------------------------------------------------------------------------
+  oidc-ui:
+    namespace: esignet
+    enabled: true
+    version: 1.7.1
+    chart: mosip/oidc-ui
+    set:
+      istio.hosts[0]: "esignet.sandbox.xyz.net"
+      oidc_ui.oidc_service_host: "esignet.esignet"
+      oidc_ui.configmaps.oidc-ui.REACT_APP_API_BASE_URL: "http://esignet.esignet/v1/esignet"
+      oidc_ui.configmaps.oidc-ui.REACT_APP_SBI_DOMAIN_URI: "http://esignet.esignet"
+    timeout: 1200
+    priority: -11
+    hooks:
+      preInstall: "$WORKDIR/hooks/esignet-1.7.1/oidc-ui-preinstall.sh"
+
+  # ---------------------------------------------------------------------------
+  # Mock Identity System (Optional)
+  # ---------------------------------------------------------------------------
+  # Enable for testing with mock identity data.
+  softhsm-mock-identity-system:
+    namespace: softhsm
+    enabled: false
+    version: 12.0.1
+    chart: mosip/softhsm
+    valuesFile: "$WORKDIR/utils/softhsm-mock-identity-system-values.yaml"
+    wait: true
+    timeout: 480
+    priority: -10
+    hooks:
+      preInstall: "$WORKDIR/hooks/esignet-1.7.1/softhsm-mock-identity-system-preinstall.sh"
+      postInstall: "$WORKDIR/hooks/esignet-1.7.1/softhsm-mock-identity-system-postinstall.sh"
+
+  mock-identity-system:
+    namespace: esignet
+    enabled: false
+    version: 0.9.3
+    chart: mosip/mock-identity-system
+    set:
+      enable_insecure: "false"
+      extraEnvVarsCM[0]: "esignet-global"
+      extraEnvVarsCM[1]: "esignet-softhsm-share"
+      extraEnvVarsCM[2]: "softhsm-mock-identity-system-share"
+    timeout: 480
+    priority: -9
+    hooks:
+      preInstall: "$WORKDIR/hooks/esignet-1.7.1/mock-identity-system-preinstall.sh"
+
+  # ---------------------------------------------------------------------------
+  # Mock Relying Party (Optional)
+  # ---------------------------------------------------------------------------
+  mock-relying-party-service:
+    namespace: esignet
+    enabled: false
+    version: 0.9.3
+    chart: mosip/mock-relying-party-service
+    set:
+      mock_relying_party_service.ESIGNET_SERVICE_URL: "http://esignet.esignet/v1/esignet"
+      mock_relying_party_service.ESIGNET_AUD_URL: "https://esignet.sandbox.xyz.net/v1/esignet/oauth/v2/token"
+      enable_insecure: "false"
+    timeout: 480
+    priority: -8
+    hooks:
+      preInstall: "$WORKDIR/hooks/esignet-1.7.1/mock-relying-party-service-preinstall.sh"
+
+  mock-relying-party-ui:
+    namespace: esignet
+    enabled: false
+    version: 0.9.3
+    chart: mosip/mock-relying-party-ui
+    set:
+      mock_relying_party_ui.mock_relying_party_ui_service_host: "healthservices.sandbox.xyz.net"
+      mock_relying_party_ui.ESIGNET_UI_BASE_URL: "https://esignet.sandbox.xyz.net"
+      mock_relying_party_ui.MOCK_RELYING_PARTY_SERVER_URL: "https://healthservices.sandbox.xyz.net/mock-relying-party-service"
+      mock_relying_party_ui.REDIRECT_URI: "https://healthservices.sandbox.xyz.net/userprofile"
+      mock_relying_party_ui.REDIRECT_URI_REGISTRATION: "https://healthservices.sandbox.xyz.net/registration"
+      mock_relying_party_ui.SIGN_IN_BUTTON_PLUGIN_URL: "https://esignet.sandbox.xyz.net/plugins/sign-in-button-plugin.js"
+      istio.hosts[0]: "healthservices.sandbox.xyz.net"
+    wait: true
+    timeout: 480
+    priority: -7
+    hooks:
+      preInstall: "$WORKDIR/hooks/esignet-1.7.1/mock-relying-party-ui-preinstall.sh"
+
+  # ---------------------------------------------------------------------------
+  # Partner Onboarders
+  # ---------------------------------------------------------------------------
+  esignet-resident-oidc-partner-onboarder:
+    namespace: esignet
+    enabled: false
+    version: 12.0.1
+    chart: mosip/partner-onboarder
+    set:
+      onboarding.configmaps.s3.s3-host: "http://minio.minio:9000"
+      onboarding.configmaps.s3.s3-user-key: "admin"
+      onboarding.configmaps.s3.s3-region: ""
+      onboarding.configmaps.s3.s3-bucket-name: "onboarder"
+      onboarding.modules[0].name: "ida"
+      onboarding.modules[0].enabled: "false"
+      onboarding.modules[1].name: "print"
+      onboarding.modules[1].enabled: "false"
+      onboarding.modules[2].name: "abis"
+      onboarding.modules[2].enabled: "false"
+      onboarding.modules[3].name: "resident"
+      onboarding.modules[3].enabled: "false"
+      onboarding.modules[4].name: "mobileid"
+      onboarding.modules[4].enabled: "false"
+      onboarding.modules[5].name: "digitalcard"
+      onboarding.modules[5].enabled: "false"
+      onboarding.modules[6].name: "esignet"
+      onboarding.modules[6].enabled: "true"
+      onboarding.modules[7].name: "resident-oidc"
+      onboarding.modules[7].enabled: "true"
+      onboarding.modules[8].name: "demo-oidc"
+      onboarding.modules[8].enabled: "false"
+      onboarding.modules[9].name: "mimoto-keybinding"
+      onboarding.modules[9].enabled: "false"
+    wait: true
+    waitForJobs: true
+    timeout: 240
+    priority: -6
+    hooks:
+      preInstall: "$WORKDIR/hooks/esignet-1.7.1/esignet-partner-onboarder-preinstall.sh"
+      preUpgrade: "$WORKDIR/hooks/esignet-1.7.1/esignet-partner-onboarder-preinstall.sh"
+      postInstall: "$WORKDIR/hooks/esignet-1.7.1/esignet-partner-onboarder-postinstall.sh"
+      postUpgrade: "$WORKDIR/hooks/esignet-1.7.1/esignet-partner-onboarder-postinstall.sh"
+
+  esignet-demo-oidc-partner-onboarder:
+    namespace: esignet
+    enabled: false
+    version: 12.0.1
+    chart: mosip/partner-onboarder
+    set:
+      onboarding.modules[0].name: "ida"
+      onboarding.modules[0].enabled: "false"
+      onboarding.modules[1].name: "print"
+      onboarding.modules[1].enabled: "false"
+      onboarding.modules[2].name: "abis"
+      onboarding.modules[2].enabled: "false"
+      onboarding.modules[3].name: "resident"
+      onboarding.modules[3].enabled: "false"
+      onboarding.modules[4].name: "mobileid"
+      onboarding.modules[4].enabled: "false"
+      onboarding.modules[5].name: "digitalcard"
+      onboarding.modules[5].enabled: "false"
+      onboarding.modules[6].name: "esignet"
+      onboarding.modules[6].enabled: "false"
+      onboarding.modules[7].name: "resident-oidc"
+      onboarding.modules[7].enabled: "false"
+      onboarding.modules[8].name: "demo-oidc"
+      onboarding.modules[8].enabled: "true"
+      onboarding.modules[9].name: "mimoto-keybinding"
+      onboarding.modules[9].enabled: "false"
+      onboarding.configmaps.s3.s3-host: "http://minio.minio:9000"
+      onboarding.configmaps.s3.s3-user-key: "admin"
+      onboarding.configmaps.s3.s3-region: ""
+      onboarding.configmaps.s3.s3-bucket-name: "onboarder"
+    wait: true
+    waitForJobs: true
+    timeout: 240
+    priority: -5
+    hooks:
+      preInstall: "$WORKDIR/hooks/esignet-1.7.1/esignet-demo-oidc-partner-onboarder-preinstall.sh"
+      preUpgrade: "$WORKDIR/hooks/esignet-1.7.1/esignet-demo-oidc-partner-onboarder-preinstall.sh"
+      postInstall: "$WORKDIR/hooks/esignet-1.7.1/esignet-demo-oidc-partner-onboarder-postinstall.sh"
+      postUpgrade: "$WORKDIR/hooks/esignet-1.7.1/esignet-demo-oidc-partner-onboarder-postinstall.sh"
diff --git a/Helmsman/dsf/esignet/external-dsf.yaml b/Helmsman/dsf/esignet/external-dsf.yaml
new file mode 100644
index 00000000..eda984ec
--- /dev/null
+++ b/Helmsman/dsf/esignet/external-dsf.yaml
@@ -0,0 +1,332 @@
+# =============================================================================
+# eSignet Profile - External Services DSF (Desired State File)
+# =============================================================================
+# This DSF deploys only the external/infrastructure services required for
+# standalone eSignet v1.7.1 deployment (without full MOSIP platform).
+#
+# Components:
+#   - PostgreSQL (optional, disable it if using external DB)
+#   - PostgreSQL Init (eSignet DB only - v1.7.1 branch)
+#   - Redis
+#   - Kafka + Kafka UI
+#   - SoftHSM for eSignet
+#   - Keycloak (for IAM / API access control)
+#   - Captcha validation service
+#   - Istio addons for service exposure
+#
+# Based on eSignet v1.7.1 deploy scripts:
+#   - install-prereq.sh
+#   - initialise-prereq.sh
+# =============================================================================
+
+helmDefaults:
+  tillerNamespace: kube-system
+  tillerless: true
+  install: true
+
+helmRepos:
+  bitnami: https://charts.bitnami.com/bitnami
+  mosip: https://mosip.github.io/mosip-helm
+  kafka-ui: https://provectus.github.io/kafka-ui-charts
+
+namespaces:
+  postgres:
+    protected: true
+  keycloak:
+    protected: true
+  softhsm:
+    protected: false
+  redis:
+    protected: false
+  kafka:
+    protected: false
+  captcha:
+    protected: false
+  minio:
+    protected: false
+  esignet:
+    protected: true
+apps:
+  # ---------------------------------------------------------------------------
+  # PostgreSQL Server
+  # ---------------------------------------------------------------------------
+  # Disabled by default - enable if deploying a new PostgreSQL instance.
+  # If using an external PostgreSQL, keep disabled and configure via
+  # generate-secret-cm.py or manual secret/configmap creation.
+  postgres:
+    namespace: postgres
+    enabled: true
+    version: 13.1.5
+    chart: bitnami/postgresql
+    wait: true
+    priority: -18
+    valuesFile: "$WORKDIR/utils/postgres-values.yaml"
+    timeout: 1200
+    hooks:
+      preInstall: "$WORKDIR/hooks/esignet-1.7.1/postgres-preinstall.sh"
+      postInstall: "$WORKDIR/hooks/esignet-1.7.1/postgres-postinstall.sh"
+
+  istio-addons-psql:
+    namespace: postgres
+    enabled: true
+    version: 0.1.0
+    chart: $WORKDIR/utils/istio-addons/postgres-istio-addons-0.1.0.tgz
+    set:
+      postgresHost: "postgres.sandbox.xyz.net"
+    wait: true
+    priority: -17
+    timeout: 1200
+
+  # ---------------------------------------------------------------------------
+  # PostgreSQL Init - eSignet Database Only
+  # ---------------------------------------------------------------------------
+  # Only initializes the mosip_esignet database (v1.7.1 branch).
+  # All other MOSIP databases are disabled since this is a standalone eSignet.
+  postgres-init-esignet:
+    namespace: esignet
+    enabled: true
+    version: 12.0.1
+    chart: mosip/postgres-init
+    set:
+      dbUserPasswords.dbuserPassword: "$DB_USER_PASSWORD"
+      # Disable all MOSIP platform databases
+      databases.mosip_toolkit.enabled: "false"
+      databases.mosip_master.enabled: "false"
+      databases.mosip_audit.enabled: "false"
+      databases.mosip_keymgr.enabled: "false"
+      databases.mosip_kernel.enabled: "false"
+      databases.mosip_idmap.enabled: "false"
+      databases.mosip_prereg.enabled: "false"
+      databases.mosip_idrepo.enabled: "false"
+      databases.mosip_ida.enabled: "false"
+      databases.mosip_credential.enabled: "false"
+      databases.mosip_regprc.enabled: "false"
+      databases.mosip_regdevice.enabled: "false"
+      databases.mosip_authdevice.enabled: "false"
+      databases.mosip_pms.enabled: "false"
+      databases.mosip_hotlist.enabled: "false"
+      databases.mosip_resident.enabled: "false"
+      databases.mosip_digitalcard.enabled: "false"
+      # Enable eSignet database with v1.7.1 branch
+      databases.mosip_esignet.enabled: "true"
+      databases.mosip_esignet.branch: "v1.7.1"
+      databases.mosip_esignet.host: "postgres.sandbox.xyz.net"
+      databases.mosip_esignet.port: 5433
+      databases.mosip_esignet.dml: 1
+      # Mock identity system DB - disabled by default
+      databases.mosip_mockidentitysystem.enabled: "false"
+      databases.mosip_mockidentitysystem.branch: "v0.9.3"
+      databases.mosip_mockidentitysystem.host: "postgres.sandbox.xyz.net"
+      databases.mosip_mockidentitysystem.repoUrl: "https://github.com/mosip/esignet-mock-services.git"
+      databases.mosip_mockidentitysystem.port: 5433
+      databases.mosip_mockidentitysystem.dml: 1
+    wait: true
+    timeout: 180
+    priority: -16
+    hooks:
+      preInstall: "$WORKDIR/hooks/esignet-1.7.1/esignet-init-db.sh"
+
+  # ---------------------------------------------------------------------------
+  # Redis
+  # ---------------------------------------------------------------------------
+  redis:
+    namespace: redis
+    enabled: true
+    version: 17.3.14
+    chart: bitnami/redis
+    set:
+      image.repository: "mosipid/redis"
+      image.tag: "7.0.5-debian-11-r25"
+      image.pullPolicy: "Always"
+    wait: true
+    timeout: 480
+    priority: -16
+    hooks:
+      postInstall: "$WORKDIR/hooks/esignet-1.7.1/redis-setup.sh"
+
+  # ---------------------------------------------------------------------------
+  # Kafka
+  # ---------------------------------------------------------------------------
+  kafka:
+    namespace: kafka
+    enabled: true
+    version: 18.3.1
+    chart: bitnami/kafka
+    set:
+      image.repository: "mosipid/kafka"
+      image.tag: "3.2.1-debian-11-r9"
+      zookeeper.image.repository: "mosipid/zookeeper"
+      zookeeper.image.tag: "3.8.0-debian-11-r30"
+      clusterDomain: "cluster.local"
+      logRetentionBytes: "_1073741824"
+      defaultReplicationFactor: "3"
+      offsetsTopicReplicationFactor: "3"
+      transactionStateLogReplicationFactor: "3"
+      numPartitions: "20"
+      replicaCount: "5"
+      autoCreateTopicsEnable: "true"
+      deleteTopicEnable: "true"
+      persistence.enabled: "true"
+      persistence.accessModes[0]: "ReadWriteOnce"
+      persistence.size: "8Gi"
+      zookeeper.enabled: "true"
+      zookeeper.replicaCount: "5"
+      zookeeper.persistence.enabled: "true"
+      zookeeper.persistence.size: "2Gi"
+      resources.requests.cpu: "200m"
+      resources.requests.memory: "2000Mi"
+      startupProbe.enabled: "true"
+      startupProbe.initialDelaySeconds: "30"
+      startupProbe.periodSeconds: "10"
+      startupProbe.timeoutSeconds: "1"
+      startupProbe.failureThreshold: "30"
+      startupProbe.successThreshold: "1"
+    wait: true
+    timeout: 1200
+    priority: -15
+    hooks:
+      postInstall: "$WORKDIR/hooks/esignet-1.7.1/kafka-postinstall.sh"
+
+  kafka-ui:
+    namespace: kafka
+    enabled: true
+    version: 0.4.2
+    chart: kafka-ui/kafka-ui
+    set:
+      envs.config.KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS: "kafka.kafka:9092"
+      envs.config.KAFKA_CLUSTERS_0_NAME: "main_kafka"
+      envs.config.KAFKA_CLUSTERS_0_ZOOKEEPER: "kafka-zookeeper.kafka:2181"
+      image.pullPolicy: "Always"
+    wait: true
+    timeout: 1200
+    priority: -14
+
+  istio-addons-kafka:
+    namespace: kafka
+    enabled: true
+    version: 1.2.0
+    chart: $WORKDIR/utils/istio-addons/kafka-istio-addons-1.2.0.tgz
+    set:
+      kafkaUiHost: "kafka.sandbox.xyz.net"
+      installName: "kafka-ui"
+    wait: true
+    timeout: 1200
+    priority: -13
+
+  # ---------------------------------------------------------------------------
+  # SoftHSM for eSignet
+  # ---------------------------------------------------------------------------
+  # Note: v1.7.1 deploy scripts install softhsm in esignet namespace,
+  # but for consistency with existing hooks, we keep it in softhsm namespace.
+  softhsm-esignet:
+    namespace: softhsm
+    enabled: true
+    version: 12.0.1
+    chart: mosip/softhsm
+    valuesFile: "$WORKDIR/utils/softhsm-esignet-values.yaml"
+    timeout: 480
+    priority: -12
+    hooks:
+      preInstall: "$WORKDIR/hooks/esignet-1.7.1/softhsm-esignet-setup.sh"
+      postInstall: "$WORKDIR/hooks/esignet-1.7.1/softhsm-esignet-postinstall.sh"
+
+  # ---------------------------------------------------------------------------
+  # Keycloak (IAM for API Access Control)
+  # ---------------------------------------------------------------------------
+  # Keycloak is optional for eSignet standalone. Enable if you need
+  # API access control for eSignet client management APIs.
+  keycloak:
+    namespace: keycloak
+    enabled: true
+    version: 7.1.18
+    chart: mosip/keycloak
+    set:
+      image.repository: "mosipid/mosip-artemis-keycloak"
+      image.tag: "1.2.0.2"
+      image.pullPolicy: "Always"
+      postgresql.image.registry: "docker.io"
+      postgresql.image.repository: "mosipid/postgresql"
+      postgresql.image.tag: "14.2.0-debian-10-r70"
+      service.type: "ClusterIP"
+      auth.adminUser: "admin"
+      extraEnvVars[0].name: "KEYCLOAK_EXTRA_ARGS"
+      extraEnvVars[0].value: "-Dkeycloak.profile.feature.upload_scripts=enabled -Dkeycloak.profile.feature.token_exchange=enabled -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled"
+      ingress.enabled: "false"
+      ingress.hostname: ""
+      ingress.annotations.ingress\.kubernetes\.io/class: "nginx"
+      proxyAddressForwarding: "true"
+      replicaCount: "1"
+      serviceDiscovery.enabled: "true"
+      resources.requests.cpu: "200m"
+      resources.requests.memory: "1000Mi"
+      rbac.create: "true"
+      rbac.rules[0].apiGroups[0]: ""
+      rbac.rules[0].resources[0]: "pods"
+      rbac.rules[0].verbs[0]: "get"
+      rbac.rules[0].verbs[1]: "list"
+    wait: true
+    timeout: 1200
+    priority: -11
+
+  istio-addons-iam:
+    namespace: keycloak
+    enabled: true
+    version: 0.1.0
+    chart: $WORKDIR/utils/istio-addons/iam-istio-addons-0.1.0.tgz
+    set:
+      keycloakExternalHost: "iam.sandbox.xyz.net"
+      keycloakInternalHost: "keycloak.keycloak"
+      service: "keycloak"
+    wait: true
+    timeout: 1200
+    priority: -10
+    hooks:
+      postInstall: "$WORKDIR/hooks/esignet-1.7.1/keycloak-postinstall.sh"
+
+  # ---------------------------------------------------------------------------
+  # Captcha Validation Service
+  # ---------------------------------------------------------------------------
+  captcha:
+    namespace: captcha
+    enabled: true
+    version: 0.1.0-beta.1
+    chart: mosip/captcha
+    set:
+      metrics.serviceMonitor.enabled: "false"
+    wait: true
+    timeout: 480
+    priority: -9
+    hooks:
+      postInstall: "$WORKDIR/hooks/esignet-1.7.1/captcha-postinstall.sh"
+
+  minio:
+    namespace: minio
+    enabled: true
+    version: 10.1.6
+    chart: mosip/minio
+    set:
+      image.repository: "mosipid/minio"
+      image.tag: "2022.2.7-debian-10-r0"
+      metrics.serviceMonitor.enabled: "true"
+      extraEnvVars[0].name: "MINIO_PROMETHEUS_URL"
+      extraEnvVars[0].value: "http://rancher-monitoring-prometheus.cattle-monitoring-system:9090"
+      extraEnvVars[1].name: "MINIO_PROMETHEUS_JOB_ID"
+      extraEnvVars[1].value: "minio"
+      resourcesPreset: "none"
+    wait: true
+    timeout: 1200
+    priority: -8
+    # Ensure minio is deployed before its Istio addons
+
+  istio-addons-minio:
+    namespace: minio
+    enabled: true
+    version: 1.2.0
+    chart: $WORKDIR/utils/istio-addons/minio-istio-addons-1.2.0.tgz
+    set:
+      externalHost: "minio.sandbox.xyz.net"
+    wait: true
+    timeout: 1200
+    hooks:
+      postInstall: "$WORKDIR/hooks/s3-setup.sh"
+    priority: -7
diff --git a/Helmsman/dsf/prereq-dsf.yaml b/Helmsman/dsf/esignet/prereq-dsf.yaml
similarity index 100%
rename from Helmsman/dsf/prereq-dsf.yaml
rename to Helmsman/dsf/esignet/prereq-dsf.yaml
diff --git a/Helmsman/dsf/esignet-dsf.yaml b/Helmsman/dsf/mosip-platform-java11/esignet-dsf.yaml
similarity index 100%
rename from Helmsman/dsf/esignet-dsf.yaml
rename to Helmsman/dsf/mosip-platform-java11/esignet-dsf.yaml
diff --git a/Helmsman/dsf/external-dsf.yaml b/Helmsman/dsf/mosip-platform-java11/external-dsf.yaml
similarity index 100%
rename from Helmsman/dsf/external-dsf.yaml
rename to Helmsman/dsf/mosip-platform-java11/external-dsf.yaml
diff --git a/Helmsman/dsf/mosip-dsf.yaml b/Helmsman/dsf/mosip-platform-java11/mosip-dsf.yaml
similarity index 100%
rename from Helmsman/dsf/mosip-dsf.yaml
rename to Helmsman/dsf/mosip-platform-java11/mosip-dsf.yaml
diff --git a/Helmsman/dsf/mosip-platform-java11/prereq-dsf.yaml b/Helmsman/dsf/mosip-platform-java11/prereq-dsf.yaml
new file mode 100644
index 00000000..125fcdf4
--- /dev/null
+++ b/Helmsman/dsf/mosip-platform-java11/prereq-dsf.yaml
@@ -0,0 +1,111 @@
+helmDefaults:
+  tillerNamespace: kube-system
+  tillerless: true
+  install: true
+
+helmRepos:
+  bitnami: https://charts.bitnami.com/bitnami
+  mosip: https://mosip.github.io/mosip-helm
+  banzaicloud-stable: https://charts.helm.sh/stable
+
+# Note: Based on your requirement disable the namespaces which you want to use, by default all the namespaces are protected.
+namespaces:
+  kube-system:
+    protected: true
+  cattle-monitoring-system:
+    protected: true
+  cattle-logging-system:
+    protected: true
+  istio-system:
+    protected: true
+  istio-operator:
+    protected: true
+  httpbin:
+    protected: true
+
+apps:
+  rancher-monitoring-crd:
+    namespace: cattle-monitoring-system
+    enabled: true
+    version: 103.1.1+up45.31.1
+    chart: mosip/rancher-monitoring-crd
+    wait: true
+    timeout: 900
+    priority: -6
+    hooks:
+      postInstall: "$WORKDIR/hooks/install-istio-and-httpbin.sh sandbox.xyz.net ${ISTIO_VERSION}"
+      postUpgrade: "$WORKDIR/hooks/install-istio-and-httpbin.sh sandbox.xyz.net ${ISTIO_VERSION}"
+
+  rancher-monitoring:
+    namespace: cattle-monitoring-system
+    enabled: false
+    version: 103.1.0+up45.31.1
+    chart: mosip/rancher-monitoring
+    set:
+      grafana.global.cattle.clusterId: "$CLUSTER_ID"
+      global.cattle.clusterId: "$CLUSTER_ID"
+    wait: true
+    valuesFile: "$WORKDIR/utils/monitoring_values.yaml"
+    priority: -5
+    timeout: 600
+    hooks:
+      postInstall: "$WORKDIR/hooks/alerting-setup.sh <slack-channel-name> <slack-api-url> <env-name>"
+
+  elasticsearch:
+    namespace: cattle-logging-system
+    enabled: true
+    version: 17.9.25
+    chart: mosip/elasticsearch
+    set:
+      image.repository: "mosipint/elasticsearch"
+      image.tag: "7.17.2-debian-10-r4"
+      # Kibana configuration and image
+      global.kibanaEnabled: "true"
+      kibana.image.repository: "mosipid/kibana"
+      kibana.image.tag: "7.17.2-debian-10-r0"
+      kibana.image.pullPolicy: IfNotPresent
+      data.heapSize: "728m"
+      data.persistence.enabled: "true"
+      data.persistence.size: "64Gi"
+      data.resources.requests.memory: "512Mi"
+      master.heapSize: "1024m"
+      master.persistence.enabled: "true"
+      master.persistence.size: "4Gi"
+      master.resources.requests.memory: "728Mi"
+      kibana.persistence.enabled: "false"
+      sysctlImage.repository: "mosipid/os-shell"
+      sysctlImage.tag: "12-debian-12-r46"
+    wait: true
+    timeout: 900
+    priority: -4
+
+  istio-addons-logging:
+    namespace: cattle-logging-system
+    enabled: true
+    version: 0.1.0
+    chart: $WORKDIR/utils/istio-addons/logging-istio-addons-0.1.0.tgz
+    set:
+      kibanaHost: "kibana.sandbox.xyz.net"
+      installName: "elasticsearch-kibana"
+    wait: true
+    priority: -3
+
+  rancher-logging-crd:
+    namespace: cattle-logging-system
+    enabled: true
+    version: 103.1.1+up4.4.0
+    chart: mosip/rancher-logging-crd
+    wait: true
+    priority: -2
+
+  rancher-logging:
+    namespace: cattle-logging-system
+    enabled: true
+    version: 103.1.1+up4.4.0
+    chart: mosip/rancher-logging
+    valuesFile: "$WORKDIR/utils/rancher-logging-values.yaml"
+    wait: true
+    priority: -1
+    timeout: 1200
+    hooks:
+      postInstall: "$WORKDIR/hooks/post_logging-setup.sh"
diff --git a/Helmsman/dsf/testrigs-dsf.yaml b/Helmsman/dsf/mosip-platform-java11/testrigs-dsf.yaml
similarity index 100%
rename from Helmsman/dsf/testrigs-dsf.yaml
rename to Helmsman/dsf/mosip-platform-java11/testrigs-dsf.yaml
diff --git a/Helmsman/dsf/mosip-platform-java21/esignet-dsf.yaml b/Helmsman/dsf/mosip-platform-java21/esignet-dsf.yaml
new file mode 100644
index 00000000..a510dc74
--- /dev/null
+++ b/Helmsman/dsf/mosip-platform-java21/esignet-dsf.yaml
@@ -0,0 +1,393 @@
+helmDefaults:
+  tillerNamespace: kube-system
+  tillerless: true
+  install: true
+
+helmRepos:
+  bitnami: https://charts.bitnami.com/bitnami
+  mosip: https://mosip.github.io/mosip-helm
+
+namespaces:
+  postgres:
+    protected: true
+  esignet:
+    protected: false
+  keycloak:
+    protected: true
+  softhsm:
+    protected: false
+  redis:
+    protected: false
+  artifactory-1202:
+    protected: false
+apps:
+  postgres:
+    namespace: postgres
+    enabled: false
+    version: 13.1.5
+    chart: bitnami/postgresql
+    wait: true
+    priority: -18
+    valuesFile: "$WORKDIR/utils/postgres-values.yaml"
+    timeout: 480
+
+  istio-addons-psql:
+    namespace: postgres
+    enabled: false
+    version: 0.1.0
+    chart: $WORKDIR/utils/istio-addons/postgres-istio-addons-0.1.0.tgz
+    set:
+      postgresHost: "postgres.sandbox.xyz.net"
+    wait: true
+    priority: -17
+    timeout: 1200
+
+  postgres-init-esignet:
+    namespace: esignet
+    enabled: true
+    version: 12.0.1
+    chart: mosip/postgres-init
+    set:
+      # DB_USER_PASSWORD env var is fetched from postgres namespace in GH Actions
+      # and masked automatically by GitHub Actions runner
+      dbUserPasswords.dbuserPassword: "$DB_USER_PASSWORD"
+      databases.mosip_toolkit.enabled: "false"
+      databases.mosip_master.enabled: "false"
+      databases.mosip_audit.enabled: "false"
+      databases.mosip_keymgr.enabled: "false"
+      databases.mosip_kernel.enabled: "false"
+      databases.mosip_idmap.enabled: "false"
+      databases.mosip_prereg.enabled: "false"
+      databases.mosip_idrepo.enabled: "false"
+      databases.mosip_ida.enabled: "false"
+      databases.mosip_credential.enabled: "false"
+      databases.mosip_regprc.enabled: "false"
+      databases.mosip_regdevice.enabled: "false"
+      databases.mosip_authdevice.enabled: "false"
+      databases.mosip_pms.enabled: "false"
+      databases.mosip_hotlist.enabled: "false"
+      databases.mosip_resident.enabled: "false"
+      databases.mosip_digitalcard.enabled: "false"
+      # Enable BOTH esignet and mockidentitysystem databases
+      databases.mosip_esignet.enabled: "true"
+      databases.mosip_esignet.branch: "v1.4.1"
+      databases.mosip_esignet.host: "postgres.sandbox.xyz.net"
+      databases.mosip_esignet.port: 5433
+      databases.mosip_esignet.dml: 1
+      databases.mosip_mockidentitysystem.enabled: "false"
+      databases.mosip_mockidentitysystem.branch: "v0.9.3"
+      databases.mosip_mockidentitysystem.host: "postgres.sandbox.xyz.net"
+      databases.mosip_mockidentitysystem.repoUrl: "https://github.com/mosip/esignet-mock-services.git"
+      databases.mosip_mockidentitysystem.port: 5433
+      databases.mosip_mockidentitysystem.dml: 1
+    wait: true
+    timeout: 180
+    priority: -16
+    hooks:
+      preInstall: "$WORKDIR/hooks/esignet-init-db.sh"
+
+  redis:
+    namespace: redis
+    enabled: true
+    version: 17.3.14
+    chart: bitnami/redis
+    wait: true
+    timeout: 480
+    priority: -16
+    set:
+      image.repository: "mosipid/redis"
+      image.tag: "7.0.5-debian-11-r25"
+    hooks:
+      postInstall: "$WORKDIR/hooks/redis-setup.sh"
+
+  softhsm-esignet:
+    namespace: softhsm
+    enabled: true
+    version: 12.0.1
+    chart: mosip/softhsm
+    valuesFile: "$WORKDIR/utils/softhsm-esignet-values.yaml"
+    timeout: 480
+    priority: -15
+    hooks:
+      preInstall: "$WORKDIR/hooks/softhsm-esignet-setup.sh"
+      postInstall: "$WORKDIR/hooks/softhsm-esignet-postinstall.sh"
+
+  keycloak:
+    namespace: keycloak
+    enabled: false
+    protected: true # Prevent Helmsman from deleting this release
+    version: 7.1.18
+    chart: mosip/keycloak
+    set:
+      image.repository: "mosipid/mosip-artemis-keycloak"
+      image.tag: "1.2.0.2"
+      image.pullPolicy: "Always"
+      # Override Postgres image
+      postgresql.image.registry: "docker.io"
+      postgresql.image.repository: "mosipid/postgresql"
+      postgresql.image.tag: "14.2.0-debian-10-r70"
+      service.type: "ClusterIP"
+      auth.adminUser: "admin"
+      extraEnvVars[0].name: "KEYCLOAK_EXTRA_ARGS"
+      extraEnvVars[0].value: "-Dkeycloak.profile.feature.upload_scripts=enabled -Dkeycloak.profile.feature.token_exchange=enabled -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled"
+      ingress.enabled: "false"
+      ingress.hostname: ""
+      ingress.annotations.ingress\.kubernetes\.io/class: "nginx"
+      proxyAddressForwarding: "true"
+      replicaCount: "1"
+      serviceDiscovery.enabled: "true"
+      # resources.limits.cpu: "250m"
+      # resources.limits.memory: "1Gi"
+      resources.requests.cpu: "200m"
+      resources.requests.memory: "1000Mi"
+      rbac.create: "true"
+      rbac.rules[0].apiGroups[0]: ""
+      rbac.rules[0].resources[0]: "pods"
+      rbac.rules[0].verbs[0]: "get"
+      rbac.rules[0].verbs[1]: "list"
+    wait: true
+    timeout: 600
+    priority: -14
+
+  istio-addons-iam:
+    namespace: keycloak
+    enabled: true
+    version: 0.1.0
+    chart: $WORKDIR/utils/istio-addons/iam-istio-addons-0.1.0.tgz
+    set:
+      keycloakExternalHost: "iam.sandbox.xyz.net"
+      keycloakInternalHost: "keycloak.keycloak"
+      service: "keycloak"
+    wait: true
+    timeout: 1200
+    priority: -13
+
+  esignet-keycloak-init:
+    namespace: esignet
+    enabled: true
+    version: 12.0.2
+    chart: mosip/keycloak-init
+    valuesFile: "$WORKDIR/utils/keycloak-init-values.yaml"
+    set:
+      # image.repository: "mosipid/keycloak-init"
+      # image.tag: "1.2.0.1"
+      keycloakExternalHost: "iam.sandbox.xyz.net"
+      keycloakInternalHost: "keycloak.keycloak"
+      clientSecrets[0].name: "$PMS_CLIENT_SECRET_KEY"
+      clientSecrets[0].secret: "$PMS_CLIENT_SECRET_VALUE"
+      clientSecrets[1].name: "$MPARTNER_DEFAULT_AUTH_SECRET_KEY"
+      clientSecrets[1].secret: "$MPARTNER_DEFAULT_AUTH_SECRET_VALUE"
+    timeout: 480
+    priority: -12
+    hooks:
+      preInstall: "$WORKDIR/hooks/esignet-preinstall-keycloak-init.sh"
+      postInstall: "$WORKDIR/hooks/esignet-postinstall-keycloak-init.sh"
+
+  artifactory-1202:
+    namespace: artifactory-1202
+    enabled: true
+    version: 12.0.2
+    chart: mosip/artifactory
+    # set:
+    #   image.repository: "mosipid/artifactory-server"
+    #   image.tag: "1.4.1-ES"
+    wait: true
+    timeout: 1200
+    priority: -12
+    hooks:
+      # For fresh installations
+      preInstall: "kubectl label ns artifactory-1202 istio-injection=enabled --overwrite"
+
+  esignet:
+    namespace: esignet
+    enabled: true
+    version: 1.4.1
+    chart: mosip/esignet
+    set:
+      # image.repository: "mosipid/esignet"
+      # image.tag: "1.4.1"
+      # Set to true if you don't have public domain & valid SSL (development only)
+      enable_insecure: "false"
+      extraEnvVarsCM[0]: "global"
+      extraEnvVarsCM[1]: "config-server-share"
+      extraEnvVarsCM[2]: "artifactory-1202-share"
+      extraEnvVarsCM[3]: "softhsm-esignet-share"
+    wait: true
+    timeout: 600
+    priority: -11
+    hooks:
+      preInstall: "$WORKDIR/hooks/esignet-preinstall.sh"
+
+  oidc-ui:
+    namespace: esignet
+    enabled: true
+    version: 1.4.1
+    chart: mosip/oidc-ui
+    set:
+      istio.hosts[0]: "esignet.sandbox.xyz.net"
+      extraEnvVarsCM[0]: "global"
+      extraEnvVarsCM[1]: "config-server-share"
+      extraEnvVarsCM[2]: "artifactory-1202-share"
+      extraEnvVarsCM[3]: "softhsm-esignet-share"
+      extraEnvVarsCM[4]: "oidc-ui"
+      # image.repository: "mosipid/esignet"
+      # image.tag: "1.4.1"
+    timeout: 1200
+    priority: -10
+    hooks:
+      preInstall: "$WORKDIR/hooks/oidc-ui-preinstall.sh"
+
+  softhsm-mock-identity-system:
+    namespace: softhsm
+    enabled: false
+    version: 12.0.1
+    chart: mosip/softhsm
+    valuesFile: "$WORKDIR/utils/softhsm-mock-identity-system-values.yaml"
+    wait: true
+    timeout: 480
+    priority: -9
+    hooks:
+      preInstall: "$WORKDIR/hooks/softhsm-mock-identity-system-preinstall.sh"
+      postInstall: "$WORKDIR/hooks/softhsm-mock-identity-system-postinstall.sh"
+
+  mock-identity-system:
+    namespace: esignet
+    enabled: false
+    version: 0.9.3
+    chart: mosip/mock-identity-system
+    set:
+      # Set to true if you don't have public domain & valid SSL (development only)
+      enable_insecure: "false"
+      extraEnvVarsCM[0]: "global"
+      extraEnvVarsCM[1]: "config-server-share"
+      extraEnvVarsCM[2]: "artifactory-1202-share"
+      extraEnvVarsCM[3]: "softhsm-mock-identity-system-share"
+    timeout: 480
+    priority: -8
+    hooks:
+      preInstall: "$WORKDIR/hooks/mock-identity-system-preinstall.sh"
+
+  mock-relying-party-service:
+    namespace: esignet
+    enabled: true
+    version: 0.9.3
+    chart: mosip/mock-relying-party-service
+    set:
+      # eSignet service URL (internal)
+      mock_relying_party_service.ESIGNET_SERVICE_URL: "http://esignet.esignet/v1/esignet"
+      # eSignet AUD URL (external) - UPDATE with your esignet domain
+      mock_relying_party_service.ESIGNET_AUD_URL: "https://esignet.sandbox.xyz.net/v1/esignet/oauth/v2/token"
+      # Set to true if you don't have public domain & valid SSL (development only)
+      enable_insecure: "false"
+    timeout: 480
+    priority: -7
+    hooks:
+      preInstall: "$WORKDIR/hooks/mock-relying-party-service-preinstall.sh"
+
+  mock-relying-party-ui:
+    namespace: esignet
+    enabled: true
+    version: 0.9.3
+    chart: mosip/mock-relying-party-ui
+    set:
+      # UPDATE THIS: Mock Relying Party UI domain (e.g., healthservices.sandbox.xyz.net)
+      mock_relying_party_ui.mock_relying_party_ui_service_host: "healthservices.sandbox.xyz.net"
+      mock_relying_party_ui.ESIGNET_UI_BASE_URL: "https://esignet.sandbox.xyz.net"
+      mock_relying_party_ui.MOCK_RELYING_PARTY_SERVER_URL: "https://healthservices.sandbox.xyz.net/mock-relying-party-service"
+      mock_relying_party_ui.REDIRECT_URI: "https://healthservices.sandbox.xyz.net/userprofile"
+      mock_relying_party_ui.REDIRECT_URI_REGISTRATION: "https://healthservices.sandbox.xyz.net/registration"
+      mock_relying_party_ui.SIGN_IN_BUTTON_PLUGIN_URL: "https://esignet.sandbox.xyz.net/plugins/sign-in-button-plugin.js"
+      istio.hosts[0]: "healthservices.sandbox.xyz.net"
+    wait: true
+    timeout: 480
+    priority: -6
+    hooks:
+      preInstall: "$WORKDIR/hooks/mock-relying-party-ui-preinstall.sh"
+
+  esignet-resident-oidc-partner-onboarder:
+    namespace: esignet
+    enabled: true
+    version: 12.0.1
+    chart: mosip/partner-onboarder
+    set:
+      # Module Configuration
+      # S3 Configuration - UPDATE THESE VALUES FOR YOUR ENVIRONMENT
+      onboarding.configmaps.s3.s3-host: "http://minio.minio:9000"
+      onboarding.configmaps.s3.s3-user-key: "admin"
+      onboarding.configmaps.s3.s3-region: ""
+      onboarding.configmaps.s3.s3-bucket-name: "onboarder"
+      onboarding.modules[0].name: "ida"
+      onboarding.modules[0].enabled: "false"
+      onboarding.modules[1].name: "print"
+      onboarding.modules[1].enabled: "false"
+      onboarding.modules[2].name: "abis"
+      onboarding.modules[2].enabled: "false"
+      onboarding.modules[3].name: "resident"
+      onboarding.modules[3].enabled: "false"
+      onboarding.modules[4].name: "mobileid"
+      onboarding.modules[4].enabled: "false"
+      onboarding.modules[5].name: "digitalcard"
+      onboarding.modules[5].enabled: "false"
+      onboarding.modules[6].name: "esignet"
+      onboarding.modules[6].enabled: "true"
+      onboarding.modules[7].name: "resident-oidc"
+      onboarding.modules[7].enabled: "true"
+      onboarding.modules[8].name: "demo-oidc"
+      onboarding.modules[8].enabled: "false"
+      onboarding.modules[9].name: "mimoto-keybinding"
+      onboarding.modules[9].enabled: "false"
+      # Set to true if you don't have public domain & valid SSL (development only)
+      #onboarding.configmaps.onboarding.ENABLE_INSECURE: "false"
+    wait: true
+    waitForJobs: true
+    timeout: 240
+    priority: -5
+    hooks:
+      preInstall: "$WORKDIR/hooks/esignet-partner-onboarder-preinstall.sh"
+      preUpgrade: "$WORKDIR/hooks/esignet-partner-onboarder-preinstall.sh"
+      postInstall: "$WORKDIR/hooks/esignet-partner-onboarder-postinstall.sh"
+      postUpgrade: "$WORKDIR/hooks/esignet-partner-onboarder-postinstall.sh"
+
+  esignet-demo-oidc-partner-onboarder:
+    namespace: esignet
+    enabled: true
+    version: 12.0.1
+    chart: mosip/partner-onboarder
+    set:
+      # Module Configuration - Only demo-oidc enabled
+      onboarding.modules[0].name: "ida"
+      onboarding.modules[0].enabled: "false"
+      onboarding.modules[1].name: "print"
+      onboarding.modules[1].enabled: "false"
+      onboarding.modules[2].name: "abis"
+      onboarding.modules[2].enabled: "false"
+      onboarding.modules[3].name: "resident"
+      onboarding.modules[3].enabled: "false"
+      onboarding.modules[4].name: "mobileid"
+      onboarding.modules[4].enabled: "false"
+      onboarding.modules[5].name: "digitalcard"
+      onboarding.modules[5].enabled: "false"
+      onboarding.modules[6].name: "esignet"
+      onboarding.modules[6].enabled: "false"
+      onboarding.modules[7].name: "resident-oidc"
+      onboarding.modules[7].enabled: "false"
+      onboarding.modules[8].name: "demo-oidc"
+      onboarding.modules[8].enabled: "true"
+      onboarding.modules[9].name: "mimoto-keybinding"
+      onboarding.modules[9].enabled: "false"
+      # S3 Configuration - UPDATE THESE VALUES FOR YOUR ENVIRONMENT
+      onboarding.configmaps.s3.s3-host: "http://minio.minio:9000"
+      onboarding.configmaps.s3.s3-user-key: "admin"
+      onboarding.configmaps.s3.s3-region: ""
+      onboarding.configmaps.s3.s3-bucket-name: "onboarder"
+      # Set to true if you don't have public domain & valid SSL (development only)
+      #onboarding.configmaps.onboarding.ENABLE_INSECURE: "false"
+    wait: true
+    waitForJobs: true
+    timeout: 240
+    priority: -4
+    hooks:
+      preInstall: "$WORKDIR/hooks/esignet-demo-oidc-partner-onboarder-preinstall.sh"
+      preUpgrade: "$WORKDIR/hooks/esignet-demo-oidc-partner-onboarder-preinstall.sh"
+      postInstall: "$WORKDIR/hooks/esignet-demo-oidc-partner-onboarder-postinstall.sh"
+      postUpgrade: "$WORKDIR/hooks/esignet-demo-oidc-partner-onboarder-postinstall.sh"
diff --git a/Helmsman/dsf/mosip-platform-java21/external-dsf.yaml b/Helmsman/dsf/mosip-platform-java21/external-dsf.yaml
new file mode 100644
index 00000000..70eac633
--- /dev/null
+++ b/Helmsman/dsf/mosip-platform-java21/external-dsf.yaml
@@ -0,0 +1,418 @@
+helmDefaults:
+  tillerNamespace: kube-system
+  tillerless: true
+  install: true
+
+helmRepos:
+  bitnami: https://charts.bitnami.com/bitnami
+  mosip: https://mosip.github.io/mosip-helm
+  wiremind: https://wiremind.github.io/wiremind-helm-charts
+  kafka-ui: https://provectus.github.io/kafka-ui-charts
+
+# Note: Based on your requirement disable the namespaces which you want to use, by default all the namespaces are protected.
+namespaces:
+  postgres:
+    protected: true
+  keycloak:
+    protected: true
+  softhsm:
+    protected: true
+  minio:
+    protected: true
+  clamav:
+    protected: true
+  activemq:
+    protected: true
+  kafka:
+    protected: true
+  s3:
+    protected: true
+  msg-gateways:
+    protected: true
+  captcha:
+    protected: true
+  landing-page:
+    protected: true
+
+apps:
+  postgres:
+    namespace: postgres
+    enabled: false
+    version: 13.1.5
+    chart: bitnami/postgresql
+    wait: true
+    priority: -16
+    valuesFile: "$WORKDIR/utils/postgres-values.yaml"
+    timeout: 1200
+
+  istio-addons-psql:
+    namespace: postgres
+    enabled: true
+    version: 0.1.0
+    chart: $WORKDIR/utils/istio-addons/postgres-istio-addons-0.1.0.tgz
+    set:
+      postgresHost: "postgres.sandbox.xyz.net"
+    wait: true
+    priority: -4
+    timeout: 1200
+
+  postgres-init:
+    namespace: postgres
+    enabled: true
+    version: 12.0.2
+    chart: mosip/postgres-init
+    set:
+      dbUserPasswords.dbuserPassword: ""
+      databases.mosip_master.enabled: "true"
+      databases.mosip_master.branch: "v1.2.1.4"
+      databases.mosip_master.host: "postgres.sandbox.xyz.net"
+      databases.mosip_master.port: 5433
+
+      databases.mosip_audit.enabled: "true"
+      databases.mosip_audit.branch: "v1.2.0.1"
+      databases.mosip_audit.host: "postgres.sandbox.xyz.net"
+      databases.mosip_audit.port: 5433
+
+      databases.mosip_keymgr.enabled: "true"
+      databases.mosip_keymgr.branch: "v1.2.1.0"
+      databases.mosip_keymgr.host: "postgres.sandbox.xyz.net"
+      databases.mosip_keymgr.port: 5433
+
+      databases.mosip_kernel.enabled: "true"
+      databases.mosip_kernel.branch: "v1.2.0.2"
+      databases.mosip_kernel.host: "postgres.sandbox.xyz.net"
+      databases.mosip_kernel.port: 5433
+
+      databases.mosip_idmap.enabled: "true"
+      databases.mosip_idmap.branch: "v1.2.2.4"
+      databases.mosip_idmap.host: "postgres.sandbox.xyz.net"
+      databases.mosip_idmap.port: 5433
+
+      databases.mosip_prereg.enabled: "true"
+      databases.mosip_prereg.branch: "v1.2.0.3"
+      databases.mosip_prereg.host: "postgres.sandbox.xyz.net"
+      databases.mosip_prereg.port: 5433
+
+      databases.mosip_idrepo.enabled: "true"
+      databases.mosip_idrepo.branch: "v1.2.2.4"
+      databases.mosip_idrepo.host: "postgres.sandbox.xyz.net"
+      databases.mosip_idrepo.port: 5433
+
+      databases.mosip_ida.enabled: "true"
+      databases.mosip_ida.branch: "v1.2.1.3"
+      databases.mosip_ida.host: "postgres.sandbox.xyz.net"
+      databases.mosip_ida.port: 5433
+
+      databases.mosip_credential.enabled: "true"
+      databases.mosip_credential.branch: "v1.2.2.4"
+      databases.mosip_credential.host: "postgres.sandbox.xyz.net"
+      databases.mosip_credential.port: 5433
+
+      databases.mosip_regprc.enabled: "true"
+      databases.mosip_regprc.branch: "v1.2.1.2"
+      databases.mosip_regprc.host: "postgres.sandbox.xyz.net"
+      databases.mosip_regprc.port: 5433
+
+      databases.mosip_pms.enabled: "true"
+      databases.mosip_pms.branch: "v1.2.2.3"
+      databases.mosip_pms.host: "postgres.sandbox.xyz.net"
+      databases.mosip_pms.port: 5433
+
+      databases.mosip_hotlist.enabled: "true"
+      databases.mosip_hotlist.branch: "v1.2.1.4"
+      databases.mosip_hotlist.host: "postgres.sandbox.xyz.net"
+      databases.mosip_hotlist.port: 5433
+
+      databases.mosip_resident.enabled: "true"
+      databases.mosip_resident.branch: "v1.2.1.3"
+      databases.mosip_resident.host: "postgres.sandbox.xyz.net"
+      databases.mosip_resident.port: 5433
+
+      databases.mosip_otp.enabled: "true"
+      databases.mosip_otp.branch: "v1.3.0-beta.1"
+      databases.mosip_otp.host: "postgres.sandbox.xyz.net"
+      databases.mosip_otp.port: 5433
+
+      databases.mosip_digitalcard.enabled: "true"
+      databases.mosip_digitalcard.branch: "v1.2.0.1"
+      databases.mosip_digitalcard.host: "postgres.sandbox.xyz.net"
+      databases.mosip_digitalcard.port: 5433
+    wait: true
+    timeout: 1200
+    priority: -15
+
+  keycloak:
+    namespace: keycloak
+    enabled: true
+    version: 7.1.18
+    chart: mosip/keycloak
+    set:
+      image.repository: "mosipid/mosip-artemis-keycloak"
+      image.tag: "1.2.0.2"
+      image.pullPolicy: "Always"
+      # Override Postgres image
+      postgresql.image.registry: "docker.io"
+      postgresql.image.repository: "mosipid/postgresql"
+      postgresql.image.tag: "14.2.0-debian-10-r70"
+      service.type: "ClusterIP"
+      auth.adminUser: "admin"
+      extraEnvVars[0].name: "KEYCLOAK_EXTRA_ARGS"
+      extraEnvVars[0].value: "-Dkeycloak.profile.feature.upload_scripts=enabled -Dkeycloak.profile.feature.token_exchange=enabled -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled"
+      ingress.enabled: "false"
+      ingress.hostname: ""
+      ingress.annotations.ingress\.kubernetes\.io/class: "nginx"
+      proxyAddressForwarding: "true"
+      replicaCount: "1"
+      serviceDiscovery.enabled: "true"
+      # resources.limits.cpu: "250m"
+      # resources.limits.memory: "1Gi"
+      resources.requests.cpu: "200m"
+      resources.requests.memory: "1000Mi"
+      rbac.create: "true"
+      rbac.rules[0].apiGroups[0]: ""
+      rbac.rules[0].resources[0]: "pods"
+      rbac.rules[0].verbs[0]: "get"
+      rbac.rules[0].verbs[1]: "list"
+    wait: true
+    timeout: 1200
+    priority: -14
+
+  istio-addons-iam:
+    namespace: keycloak
+    enabled: true
+    version: 0.1.0
+    chart: $WORKDIR/utils/istio-addons/iam-istio-addons-0.1.0.tgz
+    set:
+      keycloakExternalHost: "iam.sandbox.xyz.net"
+      keycloakInternalHost: "keycloak.keycloak"
+      service: "keycloak"
+    wait: true
+    timeout: 1200
+    priority: -3
+
+  keycloak-init:
+    namespace: keycloak
+    enabled: true
+    version: 12.0.2
+    chart: mosip/keycloak-init
+    set:
+      # image.repository: "mosipid/keycloak-init"
+      # image.tag: "1.2.0.1"
+      keycloakExternalHost: "iam.sandbox.xyz.net"
+      keycloakInternalHost: "keycloak.keycloak"
+      keycloak.realms.mosip.realm_config.attributes.frontendUrl: "https://iam.sandbox.xyz.net/auth"
+      keycloak.realms.mosip.realm_config.smtpServer.auth: "false"
+      keycloak.realms.mosip.realm_config.smtpServer.host: "smtp.gmail.com"
+      keycloak.realms.mosip.realm_config.smtpServer.port: "465"
+      keycloak.realms.mosip.realm_config.smtpServer.from: "mosipqa@gmail.com"
+      keycloak.realms.mosip.realm_config.smtpServer.starttls: "false"
+      keycloak.realms.mosip.realm_config.smtpServer.ssl: "true"
+    wait: true
+    timeout: 1200
+    priority: -13
+
+  softhsm-kernel:
+    namespace: softhsm
+    enabled: true
+    version: 12.0.1
+    chart: mosip/softhsm
+    set:
+      # resources.limits.cpu: "250m"
+      # resources.limits.memory: "1Gi"
+      resources.requests.cpu: "100m"
+      resources.requests.memory: "100Mi"
+    wait: true
+    timeout: 1200
+    priority: -12
+
+  softhsm-ida:
+    namespace: softhsm
+    enabled: true
+    version: 12.0.1
+    chart: mosip/softhsm
+    set:
+      # resources.limits.cpu: "250m"
+      # resources.limits.memory: "1Gi"
+      resources.requests.cpu: "100m"
+      resources.requests.memory: "200Mi"
+    wait: true
+    timeout: 1200
+    priority: -11
+
+  minio:
+    namespace: minio
+    enabled: true
+    version: 10.1.6
+    chart: mosip/minio
+    set:
+      image.repository: "mosipid/minio"
+      image.tag: "2022.2.7-debian-10-r0"
+      metrics.serviceMonitor.enabled: "true"
+      extraEnvVars[0].name: "MINIO_PROMETHEUS_URL"
+      extraEnvVars[0].value: "http://rancher-monitoring-prometheus.cattle-monitoring-system:9090"
+      extraEnvVars[1].name: "MINIO_PROMETHEUS_JOB_ID"
+      extraEnvVars[1].value: "minio"
+      resourcesPreset: "none"
+    wait: true
+    timeout: 1200
+    priority: -10
+
+  istio-addons-minio:
+    namespace: minio
+    enabled: true
+    version: 1.2.0
+    chart: $WORKDIR/utils/istio-addons/minio-istio-addons-1.2.0.tgz
+    set:
+      externalHost: "minio.sandbox.xyz.net"
+    wait: true
+    timeout: 1200
+    hooks:
+      postInstall: "$WORKDIR/hooks/s3-setup.sh"
+    priority: -2
+
+  clamav:
+    namespace: clamav
+    enabled: true
+    version: 3.1.0
+    chart: wiremind/clamav
+    set:
+      replicaCount: "1"
+      # image.repository, image.tag, and image.pullPolicy are commented out in the original YAML
+      # Uncomment and update as needed:
+      image.repository: "mosipid/clamav"
+      image.tag: "1.3.0_base"
+      # image.pullPolicy: "Always"
+    wait: true
+    timeout: 1200
+    priority: -9
+
+  activemq:
+    namespace: activemq
+    enabled: true
+    version: 0.0.2
+    chart: mosip/activemq-artemis
+    set: 
+      istio.enabled: "true"
+      istio.hosts[0]: "activemq.sandbox.xyz.net"
+      istio.ingressController.name: "ingressgateway-internal"
+      istio.prefix: ""
+    wait: true
+    timeout: 1200
+    priority: -8
+    hooks:
+      postInstall: "$WORKDIR/hooks/captcha-setup.sh <prereg-site-key> <prereg-secret-key> <admin-site-key> <admin-secret-key> <resident-site-key> <resident-secret-key>"
+  # Note: Create a google recaptcha v2 ("I am not a Robot") from Google Recaptcha Admin.
+  # Pass the captcha site and secret key in the above post install script as an argument.To create site and secret key below is the link:
+  # https://cloud.google.com/security/products/recaptcha
+  # https://www.google.com/recaptcha/admin/create
+
+  kafka: 
+    namespace: kafka
+    enabled: true
+    version: 18.3.1
+    chart: bitnami/kafka
+    set:
+      # Add these for image overrides
+      image.repository: "mosipid/kafka"
+      image.tag: "3.2.1-debian-11-r9"
+      zookeeper.image.repository: "mosipid/zookeeper"
+      zookeeper.image.tag: "3.8.0-debian-11-r30"
+      clusterDomain: "cluster.local"
+      logRetentionBytes: "_1073741824"
+      defaultReplicationFactor: "3"
+      offsetsTopicReplicationFactor: "3"
+      transactionStateLogReplicationFactor: "3"
+      numPartitions: "20"
+      replicaCount: "5"
+      autoCreateTopicsEnable: "true"
+      deleteTopicEnable: "true"
+      persistence.enabled: "true"
+      persistence.accessModes[0]: "ReadWriteOnce"
+      persistence.size: "8Gi"
+      zookeeper.enabled: "true"
+      zookeeper.replicaCount: "5"
+      zookeeper.persistence.enabled: "true"
+      zookeeper.persistence.size: "2Gi"
+      # resources.limits.cpu: "250m"
+      # resources.limits.memory: "1Gi"
+      resources.requests.cpu: "200m"
+      resources.requests.memory: "2000Mi"
+      startupProbe.enabled: "true"
+      startupProbe.initialDelaySeconds: "30"
+      startupProbe.periodSeconds: "10"
+      startupProbe.timeoutSeconds: "1"
+      startupProbe.failureThreshold: "30"
+      startupProbe.successThreshold: "1"
+    wait: true
+    timeout: 1200
+    priority: -7
+
+  kafka-ui:
+    namespace: kafka
+    enabled: true
+    version: 0.4.2
+    chart: kafka-ui/kafka-ui
+    set:
+      # Add these for image overrides
+      # image.repository: "docker.io/provectuslabs/kafka-ui"
+      # image.tag: "v0.4.0"
+      envs.config.KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS: "kafka.kafka:9092"
+      envs.config.KAFKA_CLUSTERS_0_NAME: "main_kafka"
+      envs.config.KAFKA_CLUSTERS_0_ZOOKEEPER: "kafka-zookeeper.kafka:2181"
+      envs.config.KAFKA_CLUSTERS_0_KAFKACONNECT_0_ADDRESS: "http://debezium-service.reporting:8083"
+      envs.config.KAFKA_CLUSTERS_0_KAFKACONNECT_0_NAME: "debezium"
+      envs.config.KAFKA_CLUSTERS_0_KAFKACONNECT_1_ADDRESS: "http://es-connect.reporting:8083"
+      envs.config.KAFKA_CLUSTERS_0_KAFKACONNECT_1_NAME: "es-connect"
+      image.pullPolicy: "Always"
+    wait: true
+    timeout: 1200
+    priority: -6
+
+  istio-addons-kafka:
+    namespace: kafka
+    enabled: true
+    version: 1.2.0
+    chart: $WORKDIR/utils/istio-addons/kafka-istio-addons-1.2.0.tgz
+    set:
+      kafkaUiHost: "kafka.sandbox.xyz.net"
+      installName: "kafka-ui"
+    wait: true
+    timeout: 1200
+    hooks:
+      postInstall: "$WORKDIR/hooks/msg-gateways-setup.sh"
+    priority: -1
+
+  landing-page:
+    namespace: landing-page
+    enabled: true
+    version: 12.0.2
+    chart: mosip/landing-page
+    set:
+      landing.version: "develop"
+      landing.name: "<sandbox>"
+      landing.api: "api.sandbox.xyz.net"
+      landing.apiInternal: "api-internal.sandbox.xyz.net"
+      landing.admin: "admin.sandbox.xyz.net"
+      landing.prereg: "prereg.sandbox.xyz.net"
+      landing.kafka: "kafka.sandbox.xyz.net"
+      landing.kibana: "kibana.sandbox.xyz.net"
+      landing.activemq: "activemq.sandbox.xyz.net"
+      landing.minio: "minio.sandbox.xyz.net"
+      landing.keycloak: "iam.sandbox.xyz.net"
+      landing.regclient: "regclient.sandbox.xyz.net"
+      landing.postgres.host: "postgres.sandbox.xyz.net"
+      landing.postgres.port: "5433"
+      landing.compliance: "compliance.sandbox.xyz.net"
+      landing.pmp: "pmp.sandbox.xyz.net"
+      landing.resident: "resident.sandbox.xyz.net"
+      landing.esignet: "esignet.sandbox.xyz.net"
+      landing.smtp: "smtp.sandbox.xyz.net"
+      landing.healthservices: "healthservices.sandbox.xyz.net"
+      landing.injiweb: "injiweb.sandbox.xyz.net"
+      landing.injiverify: "injiverify.sandbox.xyz.net"
+      istio.host: "sandbox.xyz.net"
+    wait: true
+    timeout: 1200
+    hooks:
+      preInstall: "$WORKDIR/hooks/landing-page.sh"
+    priority: -5
diff --git a/Helmsman/dsf/mosip-platform-java21/mosip-dsf.yaml b/Helmsman/dsf/mosip-platform-java21/mosip-dsf.yaml
new file mode 100644
index 00000000..fcdfefcb
--- /dev/null
+++ b/Helmsman/dsf/mosip-platform-java21/mosip-dsf.yaml
@@ -0,0 +1,1110 @@
+helmDefaults:
+  tillerNamespace: kube-system
+  tillerless: true
+  install: true
+
+helmRepos:
+  bitnami: https://charts.bitnami.com/bitnami
+  mosip: https://mosip.github.io/mosip-helm
+
+namespaces:
+  conf-secrets:
+    protected: false
+  config-server:
+    protected: false
+  artifactory:
+    protected: false
+  captcha:
+    protected: false
+  keymanager:
+    protected: false
+  websub:
+    protected: false
+  mock-smtp:
+    protected: false
+  kernel:
+    protected: false
+  masterdata-loader:
+    protected: false
+  biosdk:
+    protected: false
+  packetmanager:
+    protected: false
+  datashare:
+    protected: false
+  prereg:
+    protected: false
+  idrepo:
+    protected: false
+  pms:
+    protected: false
+  abis:
+    protected: false
+  regproc:
+    protected: false
+  admin:
+    protected: false
+  ida:
+    protected: false
+  print:
+    protected: false
+  digitalcard:
+    protected: false
+  resident:
+    protected: false
+  onboarder:
+    protected: false
+  mosip-file-server:
+    protected: false
+  regclient:
+    protected: false
+apps:
+  conf-secrets:
+    namespace: conf-secrets 
+    enabled: true
+    version: 12.0.3
+    chart: mosip/conf-secrets
+    priority: -20
+
+  config-server:
+    namespace: config-server
+    enabled: true
+    version: 12.0.4-develop
+    chart: mosip/config-server
+    valuesFile: "$WORKDIR/utils/config-server-values.yaml"
+    wait: true
+    timeout: 1200
+    priority: -19
+    hooks:
+      preInstall: "$WORKDIR/hooks/config-server-setup.sh"
+
+  artifactory:
+    namespace: artifactory
+    enabled: true
+    version: 12.0.4
+    chart: mosip/artifactory
+    # set:
+    #   image.repository: "mosipid/artifactory-server"
+    #   image.tag: "1.4.1-ES"
+    wait: true
+    timeout: 1200
+    priority: -18
+    hooks:
+      # For fresh installations
+      preInstall: "kubectl label ns artifactory istio-injection=enabled --overwrite"
+      postInstall: "$WORKDIR/hooks/common-labeling-istio-and-sharing-cm-secrets-among-ns.sh"
+      
+      # For upgrades/retries
+      preUpgrade: "kubectl label ns artifactory istio-injection=enabled --overwrite"
+      postUpgrade: "$WORKDIR/hooks/common-labeling-istio-and-sharing-cm-secrets-among-ns.sh"
+
+  captcha:
+    namespace: captcha
+    enabled: true
+    version: 0.1.0
+    chart: mosip/captcha
+    set:
+      # image.repository: "mosipdev/captcha-validation-service"
+      # image.tag: "develop"
+      extraEnvVars[0].name: MOSIP_CAPTCHA_SECRET_PREREGISTRATION
+      extraEnvVars[0].valueFrom.secretKeyRef.name: mosip-captcha
+      extraEnvVars[0].valueFrom.secretKeyRef.key: prereg-captcha-secret-key
+    priority: -17
+    timeout: 1200
+    hooks:
+      preInstall: "kubectl label ns captcha istio-injection=enabled --overwrite"
+
+
+  mock-abis:
+    namespace: abis
+    enabled: true
+    version: 12.0.2
+    chart: mosip/mock-abis
+    set:
+      startupProbe.failureThreshold: 60
+    #   image.repository: ""
+    #   image.tag: ""
+    timeout: 1200
+    priority: -16
+
+
+  mock-mv:
+    namespace: abis
+    enabled: true
+    version: 12.0.2
+    chart: mosip/mock-mv
+    set:
+      resources.requests.cpu: 200m
+      resources.requests.memory: 1500Mi
+    #   image.repository: ""
+    #   image.tag: ""
+    timeout: 1200
+    priority: -16
+
+
+  kernel-keygen:
+    namespace: keymanager
+    enabled: true
+    version: 12.0.1
+    chart: mosip/keygen
+    set:
+      # image.repository: "mosipdev/keys-generator"
+      # image.tag: "MOSIP-41674"
+      springConfigNameEnv: "kernel" 
+      softHsmCM: "softhsm-kernel-share"
+      # persistence.enabled: "false"
+      # volumePermissions.enabled: "false"
+      # persistence.size: "<volume_size>"
+      # persistence.mountDir: "<volume_mount_path>"
+      # persistence.pvc_claim_name: "<PVC_CLAIM_NAME>"
+    wait: true
+    timeout: 1200
+    priority: -15
+
+  keymanager:
+    namespace: keymanager
+    enabled: true
+    version: 12.1.0
+    chart: mosip/keymanager
+    # set:
+    #   image.repository: "mosipid/kernel-keymanager-service"
+    #   image.tag: "1.2.1.0"
+    #   persistence.enabled: "false"
+    #   volumePermissions.enabled: "false"
+    #   persistence.size: "<volume_size>"
+    #   persistence.mountDir: "<volume_mount_path>"
+    #   persistence.pvc_claim_name: "<PVC_CLAIM_NAME>"
+    wait: true
+    timeout: 1200
+    priority: -14
+    hooks:
+      preInstall: "$WORKDIR/hooks/wait-for-keygen.sh"
+
+  websub-consolidator:
+    namespace: websub
+    enabled: true
+    version: 12.0.1
+    chart: mosip/websub-consolidator
+    # set:
+    #  image.repository: "mosipqa/consolidator-websub-service"
+    #  image.tag: "1.3.x"
+    wait: true
+    timeout: 1200
+    priority: -13
+
+
+  websub:
+    namespace: websub
+    enabled: true
+    version: 12.0.1
+    chart: mosip/websub
+    # set:
+    #   image.repository: "mosipqa/websub-service"
+    #   image.tag: "1.3.x"
+    timeout: 1200
+    priority: -12
+
+  mock-smtp:
+    namespace: mock-smtp
+    enabled: true
+    version: 1.0.0
+    chart: mosip/mock-smtp
+    set:
+      # image.repository: "mosipdev/mock-smtp"
+      # image.tag: "1.0.0"
+      istio.hosts[0]: "smtp.sandbox.xyz.net"
+    priority: -12
+    timeout: 1200
+
+
+  masterdata-loader:
+    namespace: masterdata-loader
+    enabled: true
+    version: 12.0.1
+    chart: mosip/masterdata-loader
+    set:
+      # image.repository: "mosipqa/masterdata-loader"
+      # image.tag: "develop"
+      mosipDataGithubBranch: "v1.2.2.0"
+      mosipDataGithubRepo: "https://github.com/mosip/mosip-data"
+      mosipDataXlsfolderPath: "/home/mosip/mosip-data/mosip_master/xlsx"
+      db.host: "postgres.sandbox.xyz.net"
+      db.port: 5433
+    wait: true
+    priority: -11
+    timeout: 1200
+
+
+  authmanager:
+    namespace: kernel
+    enabled: true
+    version: 12.0.2
+    chart: mosip/authmanager
+    # set:
+    #   image.repository: "mosipdev/kernel-auth-service"
+    #   image.tag: "develop"
+    priority: -10
+    timeout: 1200
+
+  
+  auditmanager:
+    namespace: kernel
+    enabled: true
+    version: 12.0.1
+    chart: mosip/auditmanager
+    # set:
+    #   image.repository: "mosipdev/kernel-auditmanager-service"
+    #   image.tag: "release-1.3.x"
+    priority: -10
+    timeout: 1200
+
+  
+  idgenerator:
+    namespace: kernel
+    enabled: true
+    version: 12.0.2
+    chart: mosip/idgenerator
+    set:
+      # image.repository: "bn1997/kernel-idgenerator-service"
+      # image.tag: "develop"
+      resources.limits.cpu: "1"
+      resources.limits.memory: "3000Mi"
+      resources.requests.cpu: "700m"
+      resources.requests.memory: "2500Mi"
+      startupProbe.failureThreshold: "30"
+      startupProbe.periodSeconds: "10"
+    priority: -10
+    timeout: 1200
+
+  
+  masterdata:
+    namespace: kernel
+    enabled: true
+    version: 12.1.4
+    chart: mosip/masterdata
+    set:
+      # image.repository: "mosipid/kernel-masterdata-service"
+      # image.tag: "1.2.1.2"
+      resources.limits.cpu: "600m"
+      resources.limits.memory: "4000Mi"
+      resources.requests.cpu: "200m"
+      resources.requests.memory: "2000Mi"
+      istio.corsPolicy.allowOrigins[0].exact: "https://admin.sandbox.xyz.net"
+    wait: true
+    priority: -10
+    timeout: 1200
+
+  
+  otpmanager:
+    namespace: kernel
+    enabled: true
+    version: 12.0.1
+    chart: mosip/otpmanager
+    # set:
+    #   image.repository: ""
+    #   image.tag: ""
+    priority: -10
+    timeout: 1200
+
+  
+  pridgenerator:
+    namespace: kernel
+    enabled: true
+    version: 12.0.2
+    chart: mosip/pridgenerator
+    # set:
+    #   image.repository: ""
+    #   image.tag: ""
+    priority: -10
+    timeout: 1200
+
+  
+  ridgenerator:
+    namespace: kernel
+    enabled: true
+    version: 12.0.2
+    chart: mosip/ridgenerator
+    # set:
+    #   image.repository: ""
+    #   image.tag: ""
+    priority: -10
+    timeout: 1200
+
+  
+  syncdata:
+    namespace: kernel
+    enabled: true
+    version: 12.1.4
+    chart: mosip/syncdata
+    set:
+      # image.repository: "mosipid/kernel-syncdata-service"
+      # image.tag: "1.2.1.2"
+      resources.limits.cpu: "500m"
+      resources.limits.memory: "5000Mi"
+      resources.requests.cpu: "300m"
+      resources.requests.memory: "2500Mi"
+      startupProbe.failureThreshold: "60"
+    priority: -10
+    timeout: 1200
+
+  
+  notifier:
+    namespace: kernel
+    enabled: true
+    version: 12.0.2
+    chart: mosip/notifier
+    # set:
+    #   image.repository: ""
+    #   image.tag: ""
+    priority: -10
+    timeout: 1200
+
+
+  biosdk-service:
+    namespace: biosdk
+    enabled: true
+    version: 12.0.1
+    chart: mosip/biosdk-service
+    set:
+      # image.repository: "mosipid/biosdk-server"
+      # image.tag: "12.0.1"
+      biosdk.zippedLibUrl: "http://artifactory.artifactory/artifactory/libs-release-local/biosdk/biosdk-lib.zip"
+      biosdk.bioapiImpl: "io.mosip.mock.sdk.impl.SampleSDKV2"
+    priority: -10
+    timeout: 1200
+
+  
+  packetmanager:
+    namespace: packetmanager
+    enabled: true
+    version: 12.0.4
+    chart: mosip/packetmanager
+    # set:
+    #   image.repository: "mosipid/commons-packet-service"
+    #   image.tag: "1.2.0.3"
+    priority: -10
+    timeout: 1200
+
+
+  datashare:
+    namespace: datashare
+    enabled: true
+    version: 12.0.2
+    chart: mosip/datashare
+    # set:
+    #   image.repository: "mosipid/data-share-service"
+    #   image.tag: "1.2.0.1"
+    priority: -10
+    timeout: 1200
+
+  prereg-gateway:
+    namespace: prereg
+    enabled: true
+    version: 12.0.3
+    chart: mosip/prereg-gateway
+    set:
+      istio.hosts[0]: "prereg.sandbox.xyz.net"
+    priority: -9
+    timeout: 1200
+
+  prereg-captcha:
+    namespace: prereg
+    enabled: true
+    version: 12.0.1
+    chart: mosip/prereg-captcha
+    set:
+      image.repository: "mosipid/pre-registration-captcha-service"
+      image.tag: "1.2.0.2"
+    priority: -9
+    timeout: 1200
+
+  prereg-application:
+    namespace: prereg
+    enabled: true
+    version: 12.0.3
+    chart: mosip/prereg-application
+    # set:
+    #   image.repository: "mosipid/pre-registration-application-service"
+    #   image.tag: "1.2.0.2"
+    priority: -9
+    timeout: 1200
+
+
+  prereg-booking:
+    namespace: prereg
+    enabled: true
+    version: 12.0.2
+    chart: mosip/prereg-booking
+    set:
+      image.repository: "mosipid/pre-registration-booking-service"
+      image.tag: "1.2.0.2"
+    priority: -9
+    timeout: 1200
+
+  prereg-datasync:
+    namespace: prereg
+    enabled: true
+    version: 12.0.3
+    chart: mosip/prereg-datasync
+    # set:
+    #   image.repository: "mosipid/pre-registration-datasync-service"
+    #   image.tag: "1.2.0.2"
+    priority: -9
+    timeout: 1200
+
+
+  prereg-batchjob:
+    namespace: prereg
+    enabled: true
+    version: 12.0.3
+    chart: mosip/prereg-batchjob
+    # set:
+    #   image.repository: "mosipid/pre-registration-batchjob"
+    #   image.tag: "1.2.0.2"
+    priority: -9
+    timeout: 1200
+
+
+
+  prereg-ui:
+    namespace: prereg
+    enabled: true
+    version: 12.0.1
+    chart: mosip/prereg-ui
+    set:
+      # image.repository: ""
+      # image.tag: ""
+      prereg.apiHost: "prereg.sandbox.xyz.net"
+    priority: -9
+    timeout: 1200
+
+
+  idrepo-saltgen:
+    namespace: idrepo
+    enabled: true
+    version: 12.2.4
+    chart: mosip/idrepo-saltgen
+    # set:
+    #   image.repository: ""
+    #   image.tag: ""
+    #timeout: 240
+    priority: -9
+    timeout: 1200
+
+
+  credential:
+    namespace: idrepo
+    enabled: true
+    version: 12.2.4
+    chart: mosip/credential
+    set:
+      # image.repository: "mosipid/credential-service"
+      # image.tag: "1.2.2.2"
+      replicaCount: 2      
+      resources.limits.cpu: "500m"
+      resources.limits.memory: "3000Mi"
+      resources.requests.cpu: "200m"
+      resources.requests.memory: "2000Mi"
+    priority: -8
+    timeout: 1200
+
+  credentialrequest:
+    namespace: idrepo
+    enabled: true
+    version: 12.2.4
+    chart: mosip/credentialrequest
+    set:
+      # image.repository: "mosipid/credential-request-generator"
+      # image.tag: "1.2.2.2"
+      replicaCount: 2      
+      resources.limits.cpu: "1"
+      resources.limits.memory: "4000Mi"
+      resources.requests.cpu: "1"
+      resources.requests.memory: "3000Mi"
+    priority: -7
+    timeout: 1200
+  
+
+  identity:
+    namespace: idrepo
+    enabled: true
+    version: 12.2.4
+    chart: mosip/identity
+    set:
+      replicaCount: 2    
+    #   image.repository: "mosipid/id-repository-identity-service"
+    #   image.tag: "1.2.2.2"
+    priority: -7
+    timeout: 1200
+
+  vid:
+    namespace: idrepo
+    enabled: true
+    version: 12.2.4
+    chart: mosip/vid
+    set:
+      replicaCount: 2    
+    #   image.repository: "mosipid/id-repository-vid-service"
+    #   image.tag: "1.2.2.2"
+    priority: -6
+    timeout: 1200
+
+  # pms-keycloak-init:
+  #   namespace: pms
+  #   enabled: false
+  #   version: 0.0.1-develop
+  #   chart: mosip/keycloak-init
+  #   set:
+  #     # image.repository: ""
+  #     # image.tag: ""
+  #   priority: -8
+  #   timeout: 1200
+  #   hooks:
+  #     preInstall: "$WORKDIR/hooks/pms-keycloak-init.sh" 
+
+
+  pms-partner:
+    namespace: pms
+    enabled: true
+    version: 12.2.3
+    chart: mosip/pms-partner
+    set:
+      # image.repository: "mosipid/partner-management-service"
+      # image.tag: "1.2.2.1"
+      istio.corsPolicy.allowOrigins[0].prefix: "https://pmp.sandbox.xyz.net"
+    priority: -9
+    timeout: 1200
+
+
+  pms-policy:
+    namespace: pms
+    enabled: true
+    version: 12.2.3
+    chart: mosip/pms-policy
+    set:
+      # image.repository: "mosipid/partner-management-service"
+      # image.tag: "1.2.2.1"
+      istio.corsPolicy.allowOrigins[0].prefix: "https://pmp.sandbox.xyz.net"
+    priority: -9
+    timeout: 1200
+
+
+  # pmp-ui:
+  #   namespace: pms
+  #   enabled: true
+  #   version: 12.0.2
+  #   chart: mosip/pmp-ui
+  #   set:
+  #     image.repository: "mosipid/pmp-ui"
+  #     image.tag: "1.2.2.1"
+  #     pmp.apiUrl: "https://api-internal.sandbox.xyz.net/"
+  #     istio.hosts[0]: "pmp.sandbox.xyz.net"
+  #   priority: -9
+  #   timeout: 1200
+
+
+  pmp-revamp-ui:
+    namespace: pms
+    enabled: true
+    version: 12.2.2
+    chart: mosip/pmp-revamp-ui
+    set:
+      # image.repository: "mosipqa/pmp-revamp-ui"
+      # image.tag: "develop"
+      pmp_revamp.react_app_partner_manager_api_base_url: "https://api-internal.sandbox.xyz.net/v1/partnermanager"
+      pmp_revamp.react_app_policy_manager_api_base_url: "https://api-internal.sandbox.xyz.net/v1/policymanager"
+      pmp_revamp.pms_partner_manager_internal_service_url: "http://pms-partner.pms/v1/partnermanager"
+      pmp_revamp.pms_policy_manager_internal_service_url: "http://pms-policy.pms/v1/policymanager"
+      istio.hosts[0]: "pmp.sandbox.xyz.net"
+    priority: -9
+    timeout: 1200
+
+  regproc-salt:
+    namespace: regproc
+    enabled: true
+    version: 12.1.2
+    chart: mosip/regproc-salt
+    set:
+      image.repository: "mosipid/kernel-salt-generator"
+      image.tag: "1.2.0.2"
+    priority: -9
+    timeout: 1200
+
+  
+  regproc-workflow:
+    namespace: regproc
+    enabled: true
+    version: 12.1.2
+    chart: mosip/regproc-workflow
+    set:
+      resources.limits.cpu: "500m"
+      resources.limits.memory: "3000Mi"
+      resources.requests.cpu: "200m"
+      resources.requests.memory: "1000Mi"
+      livenessProbe.periodSeconds: "30"
+    #   image.repository: ""
+    #   image.tag: ""
+    priority: -8
+    timeout: 1200
+    hooks:
+      preInstall: "$WORKDIR/hooks/wait-for-regprocjob.sh"
+
+  regproc-status:
+    namespace: regproc
+    enabled: true
+    version: 12.1.2
+    chart: mosip/regproc-status
+    set:
+      resources.limits.cpu: "500m"
+      resources.limits.memory: "4000Mi"
+      resources.requests.cpu: "100m"
+      resources.requests.memory: "1000Mi"
+      livenessProbe.periodSeconds: "30"
+    #   image.repository: ""
+    #   image.tag: ""
+    timeout: 1200
+    priority: -7
+
+  regproc-camel:
+    namespace: regproc
+    enabled: true
+    version: 12.1.2
+    chart: mosip/regproc-camel
+    set:
+      resources.limits.cpu: "1"
+      resources.limits.memory: "2000Mi"
+      resources.requests.cpu: "100m"
+      resources.requests.memory: "1500Mi"
+      livenessProbe.periodSeconds: "30"
+    timeout: 1200
+    priority: -7
+
+  regproc-pktserver:
+    namespace: regproc
+    enabled: true
+    version: 12.1.2
+    chart: mosip/regproc-pktserver
+    set:
+      resources.limits.cpu: "500m"
+      resources.limits.memory: "1250Mi"
+      resources.requests.cpu: "500m"
+      resources.requests.memory: "1000Mi"
+      livenessProbe.periodSeconds: "30"
+    timeout: 1200
+    priority: -7
+
+  regproc-group1:
+    namespace: regproc
+    enabled: true
+    version: 12.1.2
+    chart: mosip/regproc-group1
+    set:
+      resources.limits.cpu: "1"
+      resources.limits.memory: "5000Mi"
+      resources.requests.cpu: "100m"
+      resources.requests.memory: "1000Mi"
+      persistence.storageClass: nfs-csi
+      persistence.size: 5Gi
+      livenessProbe.periodSeconds: "30"
+    timeout: 1200
+    priority: -7
+
+  regproc-group2:
+    namespace: regproc
+    enabled: true
+    version: 12.1.2
+    chart: mosip/regproc-group2
+    set:
+    #   image.repository: ""
+    #   image.tag: ""
+      resources.limits.cpu: "500m"
+      resources.limits.memory: "4000Mi"
+      resources.requests.cpu: "500m"
+      resources.requests.memory: "4000Mi"
+      startupProbe.failureThreshold: 60
+      livenessProbe.periodSeconds: "30"
+    timeout: 1200
+    priority: -6
+
+  regproc-group3:
+    namespace: regproc
+    enabled: true
+    version: 12.1.2
+    chart: mosip/regproc-group3
+    set:
+      resources.limits.cpu: "500m"
+      resources.limits.memory: "3000Mi"
+      resources.requests.cpu: "500m"
+      resources.requests.memory: "3000Mi"
+      livenessProbe.periodSeconds: "30"
+    timeout: 1200
+    priority: -6
+
+  regproc-group4:
+    namespace: regproc
+    enabled: true
+    version: 12.1.2
+    chart: mosip/regproc-group4
+    set:
+      resources.limits.cpu: "500m"
+      resources.limits.memory: "4000Mi"
+      resources.requests.cpu: "500m"
+      resources.requests.memory: "3000Mi"
+      livenessProbe.periodSeconds: "30"
+    timeout: 1200
+    priority: -6
+
+  regproc-group5:
+    namespace: regproc
+    enabled: true
+    version: 12.1.2
+    chart: mosip/regproc-group5
+    set:
+      resources.limits.cpu: "500m"
+      resources.limits.memory: "4000Mi"
+      resources.requests.cpu: "500m"
+      resources.requests.memory: "3000Mi"
+      livenessProbe.periodSeconds: "30"
+    timeout: 1200
+    priority: -6
+
+  regproc-group6:
+    namespace: regproc
+    enabled: true
+    version: 12.1.2
+    chart: mosip/regproc-group6
+    set:
+      resources.limits.cpu: "500m"
+      resources.limits.memory: "4000Mi"
+      resources.requests.cpu: "500m"
+      resources.requests.memory: "3000Mi"
+      livenessProbe.periodSeconds: "30"
+    timeout: 1200
+    priority: -6
+
+  regproc-group7:
+    namespace: regproc
+    enabled: true
+    version: 12.1.2
+    chart: mosip/regproc-group7
+    set:
+      resources.limits.cpu: "500m"
+      resources.limits.memory: "4000Mi"
+      resources.requests.cpu: "500m"
+      resources.requests.memory: "3000Mi"
+      livenessProbe.periodSeconds: "30"
+    timeout: 1200
+    priority: -6
+
+  regproc-trans:
+    namespace: regproc
+    enabled: true
+    version: 12.1.2
+    chart: mosip/regproc-trans
+    set:
+      resources.limits.cpu: "500m"
+      resources.limits.memory: "2500Mi"
+      resources.requests.cpu: "100m"
+      resources.requests.memory: "1000Mi"
+      livenessProbe.periodSeconds: "30"
+    timeout: 1200
+    priority: -6
+
+  regproc-notifier:
+    namespace: regproc
+    enabled: true
+    version: 12.1.2
+    chart: mosip/regproc-notifier
+    set:
+      resources.limits.cpu: "500m"
+      resources.limits.memory: "1500Mi"
+      resources.requests.cpu: "500m"
+      resources.requests.memory: "1500Mi"
+      livenessProbe.periodSeconds: "30"
+    #   image.repository: ""
+    #   image.tag: ""
+    timeout: 1200
+    priority: -6
+
+  regproc-reprocess:
+    namespace: regproc
+    enabled: true
+    version: 12.1.2
+    chart: mosip/regproc-reprocess
+    set:
+      resources.limits.cpu: "500m"
+      resources.limits.memory: "2500Mi"
+      resources.requests.cpu: "100m"
+      resources.requests.memory: "1000Mi"
+      livenessProbe.periodSeconds: "30"
+    #   image.repository: ""
+    #   image.tag: ""
+    timeout: 1200
+    priority: -6
+
+  regproc-landingzone:
+    namespace: regproc
+    enabled: true
+    version: 12.1.2
+    chart: mosip/regproc-landingzone
+    set:
+      resources.limits.cpu: "500m"
+      resources.limits.memory: "4000Mi"
+      resources.requests.cpu: "100m"
+      resources.requests.memory: "1000Mi"
+      livenessProbe.periodSeconds: "30"
+    #    image.repository: "mosipid/registration-processor-landing-zone"
+    #    image.tag: "1.2.0.2"
+    timeout: 1200
+    priority: -6
+
+  admin-hotlist:
+    namespace: admin
+    enabled: true
+    version: 12.1.4
+    chart: mosip/admin-hotlist
+    set:
+      # image.repository: "mosipid/hotlist-service"
+      # image.tag: "1.2.1.2"
+      resources.limits.cpu: "500m"
+      resources.limits.memory: "1500Mi"
+      resources.requests.cpu: "300m"
+      resources.requests.memory: "1500Mi"
+      startupProbe.failureThreshold: 60
+    timeout: 1200
+    priority: -9
+
+  admin-service:
+    namespace: admin
+    enabled: true
+    version: 12.1.4
+    chart: mosip/admin-service
+    set:
+      # image.repository: "mosipid/admin-service"
+      # image.tag: "1.2.1.2"
+      resources.limits.cpu: "500m"
+      resources.limits.memory: "2000Mi"
+      resources.requests.cpu: "500m"
+      resources.requests.memory: "2000Mi"
+      istio.corsPolicy.allowOrigins[0].prefix: "https://admin.sandbox.xyz.net"
+      startupProbe.failureThreshold: 60
+    timeout: 1200
+    priority: -9
+
+
+  admin-ui:
+    namespace: admin
+    enabled: true
+    version: 12.0.1
+    chart: mosip/admin-ui
+    set:
+      # image.repository: "mosipqa/admin-ui"
+      # image.tag: "1.3.x"
+      admin.apiUrl: "https://api-internal.sandbox.xyz.net/v1/"
+      istio.hosts[0]: "admin.sandbox.xyz.net"
+    timeout: 1200
+    priority: -9
+
+
+  ida-keygen:
+    namespace: ida
+    enabled: true
+    version: 12.0.1
+    chart: mosip/keygen
+    set:
+      springConfigNameEnv: "id-authentication" 
+      softHsmCM: "softhsm-ida-share"
+      # persistence.enabled: false
+      # volumePermissions.enabled: false
+      # persistence.size: <volume_size>
+      # persistence.mountDir: "<volume_mount_path>"
+      # persistence.pvc_claim_name: "<PVC_CLAIM_NAME>"
+    timeout: 1200
+    priority: -9
+
+
+  ida-auth:
+    namespace: ida
+    enabled: true
+    version: 12.1.3
+    chart: mosip/ida-auth
+    # set:
+    #   image.repository: "mosipid/authentication-service"
+    #   image.tag: "1.2.1.0"
+      # enable_insecure: "false"
+      # persistence.enabled: "false"
+      # volumePermissions.enabled: "false"
+      # persistence.mountDir: "<volume_mount_path>"
+      # persistence.existingClaim: "<PVC_CLAIM_NAME>"
+    timeout: 1200
+    priority: -8
+    hooks:
+      preInstall: "$WORKDIR/hooks/wait-for-idajob.sh"
+
+  ida-internal:
+    namespace: ida
+    enabled: true
+    version: 12.1.3
+    chart: mosip/ida-internal
+    # set:
+    #   image.repository: "mosipid/authentication-internal-service"
+    #   image.tag: "1.2.1.0"
+      # enable_insecure: "false"
+      # persistence.enabled: "false"
+      # volumePermissions.enabled: "false"
+      # persistence.mountDir: "<volume_mount_path>"
+      # persistence.existingClaim: "<PVC_CLAIM_NAME>"
+    timeout: 1200
+    priority: -7
+
+  ida-otp:
+    namespace: ida
+    enabled: true
+    version: 12.1.3
+    chart: mosip/ida-otp
+    # set:
+    #   image.repository: "mosipid/authentication-otp-service"
+    #   image.tag: "1.2.1.0"
+      # enable_insecure: false
+      # persistence.enabled: false
+      # volumePermissions.enabled: false
+      # persistence.mountDir: "<volume_mount_path>"
+      # persistence.existingClaim: "<PVC_CLAIM_NAME>"
+    timeout: 1200
+    priority: -6
+
+  print-service:
+    namespace: print
+    enabled: true
+    version: 12.0.1
+    chart: mosip/print-service
+    # set:
+    #   image.repository: "mosipdev/print"
+    #   image.tag: "release-1.3.x"
+    timeout: 1200
+    priority: -5
+
+
+  digitalcard:
+    namespace: digitalcard
+    enabled: true
+    version: 12.0.1
+    chart: mosip/digitalcard
+    # set:
+    #  image.repository: "mosipid/digital-card-service"
+    #  image.tag: "1.2.0.1"
+    timeout: 1200
+    priority: -5
+
+
+  resident:
+    namespace: resident
+    enabled: true
+    version: 12.3.1
+    chart: mosip/resident
+    set:
+      image.repository: "mosipid/resident-service"
+      image.tag: "1.2.1.3"
+      resources.requests.cpu: "300m"
+      resources.requests.memory: "2000Mi"
+      startupProbe.failureThreshold: "60"
+      istio.corsPolicy.allowOrigins[0].prefix: "https://resident.sandbox.xyz.net"
+    timeout: 1200
+    wait: true
+    priority: -4
+    hooks:
+      preInstall: "$WORKDIR/hooks/resident-setup.sh"
+
+  resident-ui:
+    namespace: resident
+    enabled: true
+    version: 0.9.1
+    chart: mosip/resident-ui
+    set:
+      # image.repository: "mosipdev2/resident-ui"
+      # image.tag: "release-0.9.x"
+      resident.apiHost: "api-internal.sandbox.xyz.net"
+      istio.hosts[0]: "resident.sandbox.xyz.net"
+    wait: true
+    timeout: 1200
+    priority: -3
+
+  partner-onboarder:
+    namespace: onboarder
+    enabled: true
+    version: 12.0.1
+    chart: mosip/partner-onboarder
+    set:
+      # image.repository: "mosipqa/partner-onboarder"
+      # image.tag: "develop"
+      # onboarding.configmaps.onboarding.enable_insecure: "false"
+      # onboarding.variables.push_reports_to_s3: "true" 
+      onboarding.configmaps.s3.s3-host: "http://minio.minio:9000" 
+      onboarding.configmaps.s3.s3-user-key: "admin" 
+      onboarding.configmaps.s3.s3-region: ""
+      onboarding.configmaps.s3.s3-bucket-name: "onboarder"
+      #onboarding.secrets.s3.s3-user-secret: "password"
+      # onboarding.volumes.reports.nfs.server: "<nfs_server>"
+      # # provide NFS directory to store reports from NFS server (e.g. /srv/nfs/<sandbox>/onboarder/), make sure permission is 777 for the folder: " nfs_path
+      # onboarding.volumes.reports.nfs.path: "<nfs_path>"
+      extraEnvVarsCM[0]: "global"
+      extraEnvVarsCM[1]: "keycloak-env-vars"
+      extraEnvVarsCM[2]: "keycloak-host"
+      onboarding.modules[0].name: "ida"
+      onboarding.modules[0].enabled: true
+      onboarding.modules[1].name: "print"
+      onboarding.modules[1].enabled: true
+      onboarding.modules[2].name: "abis"
+      onboarding.modules[2].enabled: true
+      onboarding.modules[3].name: "resident"
+      onboarding.modules[3].enabled: true
+      onboarding.modules[4].name: "mobileid"
+      onboarding.modules[4].enabled: true
+      onboarding.modules[5].name: "digitalcard"
+      onboarding.modules[5].enabled: true
+      onboarding.modules[6].name: "esignet"
+      onboarding.modules[6].enabled: false
+      onboarding.modules[7].name: "demo-oidc"
+      onboarding.modules[7].enabled: false
+      onboarding.modules[8].name: "resident-oidc"
+      onboarding.modules[8].enabled: false
+      onboarding.modules[9].name: "mimoto-keybinding"
+      onboarding.modules[9].enabled: true
+    wait: true
+    timeout: 1200
+    priority: -2
+    hooks:
+      preInstall: "$WORKDIR/hooks/partner-onboarder-setup.sh"
+  
+  mosip-file-server:
+    namespace: mosip-file-server
+    enabled: true
+    version: 12.0.2
+    chart: mosip/mosip-file-server
+    set:
+      image.repository: "mosipid/mosip-file-server"
+      image.tag: "1.2.0.1"
+      mosipfileserver.host: "api.sandbox.xyz.net"
+      # mosipfileserver.secrets.KEYCLOAK_CLIENT_SECRET: ""
+      istio.corsPolicy.allowOrigins[0].prefix: "https://api.sandbox.xyz.net"
+      istio.corsPolicy.allowOrigins[1].prefix: "https://api-internal.sandbox.xyz.net"
+      istio.corsPolicy.allowOrigins[2].prefix: "https://verifiablecredential.io"
+    priority: -1
+    timeout: 1200
+  
+  regclient:
+    namespace: regclient
+    enabled: true
+    version: 1.3.0-beta.1
+    chart: mosip/regclient
+    set:
+      startupProbe.failureThreshold: "60"
+      image.repository: "mosipid/registration-client"
+      image.tag: "1.2.0.2"
+      regclient.version: "1.2.0.2"
+      regclient.upgradeServerUrl: "https://regclient.sandbox.xyz.net"
+      regclient.healthCheckUrl: "https://api-internal.sandbox.xyz.net/v1/syncdata/actuator/health"
+      regclient.hostName: "api-internal.sandbox.xyz.net"
+      istio.host: "regclient.sandbox.xyz.net"
+    priority: -1
+    timeout: 1200
diff --git a/Helmsman/dsf/mosip-platform-java21/prereq-dsf.yaml b/Helmsman/dsf/mosip-platform-java21/prereq-dsf.yaml
new file mode 100644
index 00000000..9e8d446a
--- /dev/null
+++ b/Helmsman/dsf/mosip-platform-java21/prereq-dsf.yaml
@@ -0,0 +1,111 @@
+helmDefaults:
+  tillerNamespace: kube-system
+  tillerless: true
+  install: true
+
+helmRepos:
+  bitnami: https://charts.bitnami.com/bitnami
+  mosip: https://mosip.github.io/mosip-helm
+  banzaicloud-stable: https://charts.helm.sh/stable
+
+# Note: Based on your requirement disable the namespaces which you want to use, by default all the namespaces are protected.
+namespaces:
+  kube-system:
+    protected: true
+  cattle-monitoring-system:
+    protected: true
+  cattle-logging-system:
+    protected: true
+  istio-system:
+    protected: true
+  istio-operator:
+    protected: true
+  httpbin:
+    protected: true
+
+apps:
+  rancher-monitoring-crd:
+    namespace: cattle-monitoring-system
+    enabled: true
+    version: 103.1.1+up45.31.1
+    chart: mosip/rancher-monitoring-crd
+    wait: true
+    timeout: 900
+    priority: -6
+    hooks:
+      postInstall: "$WORKDIR/hooks/install-istio-and-httpbin.sh sandbox.xyz.net ${ISTIO_VERSION}"
+      postUpgrade: "$WORKDIR/hooks/install-istio-and-httpbin.sh sandbox.xyz.net ${ISTIO_VERSION}"
+
+  rancher-monitoring:
+    namespace: cattle-monitoring-system
+    enabled: false
+    version: 103.1.0+up45.31.1
+    chart: mosip/rancher-monitoring
+    set:
+      grafana.global.cattle.clusterId: "$CLUSTER_ID"
+      global.cattle.clusterId: "$CLUSTER_ID"
+    wait: true
+    valuesFile: "$WORKDIR/utils/monitoring_values.yaml"
+    priority: -5
+    timeout: 600
+    hooks:
+      postInstall: "$WORKDIR/hooks/alerting-setup.sh <slack-channel-name> <slack-api-url> <env-name>"
+
+  elasticsearch:
+    namespace: cattle-logging-system
+    enabled: true
+    version: 17.9.25
+    chart: mosip/elasticsearch
+    set:
+      image.repository: "mosipint/elasticsearch"
+      image.tag: "7.17.2-debian-10-r4"
+      # Kibana configuration and image
+      global.kibanaEnabled: "true"
+      kibana.image.repository: "mosipid/kibana"
+      kibana.image.tag: "7.17.2-debian-10-r0"
+      kibana.image.pullPolicy: IfNotPresent
+      data.heapSize: "728m"
+      data.persistence.enabled: "true"
+      data.persistence.size: "64Gi"
+      data.resources.requests.memory: "1100Mi"
+      master.heapSize: "1024m"
+      master.persistence.enabled: "true"
+      master.persistence.size: "4Gi"
+      master.resources.requests.memory: "1536Mi"
+      kibana.persistence.enabled: "false"
+      sysctlImage.repository: "mosipid/os-shell"
+      sysctlImage.tag: "12-debian-12-r46"
+    wait: true
+    timeout: 900
+    priority: -4
+
+  istio-addons-logging:
+    namespace: cattle-logging-system
+    enabled: true
+    version: 0.1.0
+    chart: $WORKDIR/utils/istio-addons/logging-istio-addons-0.1.0.tgz
+    set:
+      kibanaHost: "kibana.sandbox.xyz.net"
+      installName: "elasticsearch-kibana"
+    wait: true
+    priority: -3
+
+  rancher-logging-crd:
+    namespace: cattle-logging-system
+    enabled: true
+    version: 103.1.1+up4.4.0
+    chart: mosip/rancher-logging-crd
+    wait: true
+    priority: -2
+
+  rancher-logging:
+    namespace: cattle-logging-system
+    enabled: true
+    version: 103.1.1+up4.4.0
+    chart: mosip/rancher-logging
+    valuesFile: "$WORKDIR/utils/rancher-logging-values.yaml"
+    wait: true
+    priority: -1
+    timeout: 1200
+    hooks:
+      postInstall: "$WORKDIR/hooks/post_logging-setup.sh"
diff --git a/Helmsman/dsf/mosip-platform-java21/testrigs-dsf.yaml b/Helmsman/dsf/mosip-platform-java21/testrigs-dsf.yaml
new file mode 100644
index 00000000..751ed34f
--- /dev/null
+++ b/Helmsman/dsf/mosip-platform-java21/testrigs-dsf.yaml
@@ -0,0 +1,182 @@
+helmDefaults:
+  tillerNamespace: kube-system
+  tillerless: true
+  install: true
+
+helmRepos:
+  bitnami: https://charts.bitnami.com/bitnami
+  mosip: https://mosip.github.io/mosip-helm
+
+# Note: Based on your requirement disable the namespaces which you want to use, by default all the namespaces are protected.
+namespaces:
+  apitestrig:
+    protected: false
+  packetcreator:
+    protected: false
+  dslrig:
+    protected: false
+  uitestrig:
+    protected: false
+
+apps:
+  packetcreator:
+    namespace: packetcreator
+    enabled: true
+    version: 1.3.0
+    chart: mosip/packetcreator
+    set:
+      # image.repository: "mosipqa/dsl-packetcreator"
+      # image.tag: "1.2.1.x"
+      resources.limits.cpu: "1"
+      resources.limits.memory: "6000Mi"
+      resources.requests.cpu: "800m"
+      resources.requests.memory: "6000Mi"
+      enable_insecure: false
+      ingress.enabled: false
+      ## If ingress enabled, provide ingress host value i.e., PACKETCREATOR_HOST
+      ingress.host: "<PACKETCREATOR_HOST>"
+      istio.enabled: true
+    wait: true
+    timeout: 2800
+    priority: -4
+    hooks:
+      preInstall: "$WORKDIR/hooks/packetcreator-setup.sh"
+      
+  apitestrig:
+    namespace: apitestrig
+    enabled: true
+    version: 1.3.4
+    chart: mosip/apitestrig
+    set:
+      crontime: "0 2 * * *"
+      apitestrig.configmaps.s3.s3-host: 'http://minio.minio:9000'
+      apitestrig.configmaps.s3.s3-user-key: 'admin'
+      apitestrig.configmaps.s3.s3-region: ''
+      apitestrig.configmaps.db.db-server: "api-internal.sandbox.xyz.net"
+      apitestrig.configmaps.db.db-su-user: "postgres"
+      apitestrig.configmaps.db.db-port: "5433"
+      apitestrig.configmaps.apitestrig.ENV_USER: "api-internal.<sandbox>"
+      apitestrig.configmaps.apitestrig.ENV_ENDPOINT: "https://api-internal.sandbox.xyz.net"
+      apitestrig.configmaps.apitestrig.ENV_TESTLEVEL: "smokeAndRegression"
+      apitestrig.configmaps.apitestrig.reportExpirationInDays: "3"
+      apitestrig.configmaps.apitestrig.slack-webhook-url: "$SLACK_WEBHOOK_URL"
+      apitestrig.configmaps.apitestrig.eSignetDeployed: "yes"
+      apitestrig.configmaps.apitestrig.NS: apitestrig
+      apitestrig.configmaps.apitestrig.servicesNotDeployed: ''
+      apitestrig.configmaps.apitestrig.uinGenerationProcessingDelayTimeInMilliSeconds: "600000"
+      apitestrig.configmaps.apitestrig.vidGenerationProcessingDelayTimeInMilliSeconds: "600000"  
+
+      modules.prereg.enabled: true
+      modules.prereg.image.repository: mosipid/apitest-prereg
+      modules.prereg.image.tag: 1.2.0.3
+      modules.prereg.image.pullPolicy: Always
+
+      modules.masterdata.enabled: true
+      modules.masterdata.image.repository: mosipid/apitest-masterdata
+      modules.masterdata.image.tag: 1.2.1.3
+      modules.masterdata.image.pullPolicy: Always
+
+      modules.idrepo.enabled: true
+      modules.idrepo.image.repository: mosipid/apitest-idrepo
+      modules.idrepo.image.tag: 1.2.2.4
+      modules.idrepo.image.pullPolicy: Always
+
+      modules.partner.enabled: true
+      modules.partner.image.repository: mosipid/apitest-pms
+      modules.partner.image.tag: 1.2.2.2
+      modules.partner.image.pullPolicy: Always
+
+      modules.pms.enabled: false
+      modules.pms.image.repository: mosipid/apitest-pms
+      modules.pms.image.tag: 1.3.0-beta.4
+      modules.pms.image.pullPolicy: Always
+
+      modules.resident.enabled: true
+      modules.resident.image.repository: mosipid/apitest-resident
+      modules.resident.image.tag: 1.2.1.3
+      modules.resident.image.pullPolicy: Always
+
+      modules.auth.enabled: true
+      modules.auth.image.repository: mosipid/apitest-auth
+      modules.auth.image.tag: 1.2.1.3
+      modules.auth.image.pullPolicy: Always
+
+      modules.esignet.enabled: false
+      modules.esignet.image.repository: mosipid/apitest-esignet
+      modules.esignet.image.tag: 1.5.1
+      modules.esignet.image.pullPolicy: Always
+
+      modules.mimoto.enabled: false
+      modules.mimoto.image.repository: mosipid/apitest-mimoto
+      modules.mimoto.image.tag: 0.20.0
+      modules.mimoto.image.pullPolicy: Always
+
+      modules.injicertify.enabled: false
+      modules.injicertify.image.repository: mosipid/apitest-injicertify
+      modules.injicertify.image.tag: 0.13.0
+      modules.injicertify.image.pullPolicy: Always
+
+      modules.esignet-signup.enabled: false
+      modules.esignet-signup.image.repository: mosipid/apitest-esignet-signup
+      modules.esignet-signup.image.tag: 1.3.1
+      modules.esignet-signup.image.pullPolicy: Always
+
+      modules.variables.push_reports_to_s3: "yes"
+    priority: -3
+    hooks:
+      preInstall: "$WORKDIR/hooks/apitestrig-setup.sh"
+  dslorchestrator:
+    namespace: dslrig
+    enabled: true
+    version: 1.3.0
+    chart: mosip/dslorchestrator
+    set:
+      # image.repository: "mosipqa/dsl-orchestrator"
+      # image.tag: "1.2.1.x"
+      crontime: "0 4 * * *"
+      dslorchestrator.configmaps.s3.s3-host: 'http://minio.minio:9000'
+      dslorchestrator.configmaps.s3.s3-user-key: 'admin'
+      dslorchestrator.configmaps.s3.s3-region: ''
+      dslorchestrator.configmaps.db.db-server: "api-internal.sandbox.xyz.net"
+      dslorchestrator.configmaps.db.db-su-user: "postgres"
+      dslorchestrator.configmaps.db.db-port: "5433"
+      dslorchestrator.configmaps.dslorchestrator.USER: "api-internal.<sandbox>"
+      dslorchestrator.configmaps.dslorchestrator.ENDPOINT: "https://api-internal.sandbox.xyz.net"
+      dslorchestrator.configmaps.dslorchestrator.packetUtilityBaseUrl: "http://packetcreator.packetcreator:80/v1/packetcreator"
+      dslorchestrator.configmaps.dslorchestrator.reportExpirationInDays: "3"
+      dslorchestrator.configmaps.dslorchestrator.NS: "dslrig"
+      dslorchestrator.configmaps.dslorchestrator.servicesNotDeployed: ""
+      dslorchestrator.configmaps.dslorchestrator.eSignetDeployed: "yes"
+      dslorchestrator.configmaps.dslorchestrator.threadCount: "8"
+      dslorchestrator.configmaps.dslorchestrator.scenariosToSkip: ""
+      enable_insecure: false
+    priority: -2
+    hooks:
+      preInstall: "$WORKDIR/hooks/dslrig-setup.sh"
+  uitestrig:
+    namespace: uitestrig
+    enabled: true
+    version: 12.0.2
+    chart: mosip/uitestrig
+    set:
+      # image.repository: ""
+      # image.tag: "develop"
+      enable_insecure: false
+      crontime: "0 3 * * *"
+      uitestrig.configmaps.s3.s3-host: "http://minio.minio:9000"
+      uitestrig.configmaps.s3.s3-user-key: "admin"
+      uitestrig.configmaps.s3.s3-region: ""
+      uitestrig.configmaps.db.db-server: "api-internal.sandbox.xyz.net"
+      uitestrig.configmaps.db.db-su-user: "postgres"
+      uitestrig.configmaps.db.db-port: "5433"
+      uitestrig.configmaps.uitestrig.apiInternalEndPoint: "https://api-internal.sandbox.xyz.net"
+      uitestrig.configmaps.uitestrig.apiEnvUser: "api-internal.sandbox.xyz.net"
+      uitestrig.configmaps.uitestrig.PmpPortalPath: "https://pmp.sandbox.xyz.net"
+      uitestrig.configmaps.uitestrig.adminPortalPath: "https://admin.sandbox.xyz.net"
+      uitestrig.configmaps.uitestrig.residentPortalPath: "https://resident.sandbox.xyz.net"
+      uitestrig.configmaps.uitestrig.NS: "uitestrig"
+
+    priority: -1
+    hooks:
+      preInstall: "$WORKDIR/hooks/uitestrig-setup.sh"
+      postInstall: "$WORKDIR/hooks/trigger-test-jobs.sh"
diff --git a/Helmsman/hooks/esignet-1.7.1/captcha-postinstall.sh b/Helmsman/hooks/esignet-1.7.1/captcha-postinstall.sh
new file mode 100755
index 00000000..2aa2a559
--- /dev/null
+++ b/Helmsman/hooks/esignet-1.7.1/captcha-postinstall.sh
@@ -0,0 +1,61 @@
+#!/bin/bash
+# =============================================================================
+# eSignet 1.7.1 - Captcha Post-install
+# =============================================================================
+# Based on: deploy/captcha/install.sh
+# Configures captcha secrets for eSignet and patches captcha deployment
+# with the secret key environment variable.
+#
+# Environment Variables:
+#   CAPTCHA_SITE_KEY     - reCAPTCHA site key (REQUIRED)
+#   CAPTCHA_SECRET_KEY   - reCAPTCHA secret key (REQUIRED)
+#   ESIGNET_NS           - eSignet namespace (default: esignet)
+# =============================================================================
+set -euo pipefail
+
+ESIGNET_NS="${ESIGNET_NS:-esignet}"
+CAPTCHA_NS="captcha"
+CAPTCHA_SITE_KEY="${CAPTCHA_SITE_KEY:?ERROR: CAPTCHA_SITE_KEY environment variable must be set}"
+CAPTCHA_SECRET_KEY="${CAPTCHA_SECRET_KEY:?ERROR: CAPTCHA_SECRET_KEY environment variable must be set}"
+
+echo "================================================"
+echo "eSignet 1.7.1 - Captcha Post-install"
+echo "================================================"
+
+# --- Step 1: Create captcha secrets for eSignet ---
+# Source: deploy/captcha/install.sh - captcha secrets section
+echo "Creating esignet-captcha secret in $ESIGNET_NS namespace"
+kubectl -n "$ESIGNET_NS" create secret generic esignet-captcha \
+  --from-literal=esignet-captcha-site-key="$CAPTCHA_SITE_KEY" \
+  --from-literal=esignet-captcha-secret-key="$CAPTCHA_SECRET_KEY" \
+  --dry-run=client -o yaml | kubectl apply -f -
+
+# --- Step 2: Copy captcha secret to captcha namespace ---
+# Source: deploy/captcha/install.sh -> ../copy_cm_func.sh secret esignet-captcha esignet captcha
+echo "Copying esignet-captcha secret to $CAPTCHA_NS namespace"
+kubectl -n "$ESIGNET_NS" get secret esignet-captcha -o yaml | \
+  sed "s/namespace: $ESIGNET_NS/namespace: $CAPTCHA_NS/g" | \
+  kubectl apply -f -
+
+# --- Step 3: Patch captcha deployment with secret env var ---
+# Source: deploy/captcha/install.sh - MOSIP_CAPTCHA_GOOGLERECAPTCHAV2_SECRET_ESIGNET
+echo "Patching captcha deployment with secret key environment variable"
+ENV_VAR_EXISTS=$(kubectl -n "$CAPTCHA_NS" get deployment captcha -o jsonpath="{.spec.template.spec.containers[0].env[?(@.name=='MOSIP_CAPTCHA_GOOGLERECAPTCHAV2_SECRET_ESIGNET')].name}" 2>/dev/null || echo "")
+
+if [[ -z "$ENV_VAR_EXISTS" ]]; then
+  echo "Adding MOSIP_CAPTCHA_GOOGLERECAPTCHAV2_SECRET_ESIGNET env var..."
+  # Ensure env array exists before appending to it
+  ENV_ARRAY_EXISTS=$(kubectl -n "$CAPTCHA_NS" get deployment captcha \
+    -o jsonpath="{.spec.template.spec.containers[0].env}" 2>/dev/null || echo "")
+  if [[ -z "$ENV_ARRAY_EXISTS" ]]; then
+    echo "env array not found, initializing..."
+    kubectl patch deployment -n "$CAPTCHA_NS" captcha --type='json' \
+      -p='[{"op": "add", "path": "/spec/template/spec/containers/0/env", "value": []}]'
+  fi
+  kubectl patch deployment -n "$CAPTCHA_NS" captcha --type='json' \
+    -p='[{"op": "add", "path": "/spec/template/spec/containers/0/env/-", "value": {"name": "MOSIP_CAPTCHA_GOOGLERECAPTCHAV2_SECRET_ESIGNET", "valueFrom": {"secretKeyRef": {"name": "esignet-captcha", "key": "esignet-captcha-secret-key"}}}}]'
+else
+  echo "MOSIP_CAPTCHA_GOOGLERECAPTCHAV2_SECRET_ESIGNET env var already exists."
+fi
+
+echo "Captcha post-install completed."
diff --git a/Helmsman/hooks/esignet-1.7.1/esignet-demo-oidc-partner-onboarder-postinstall.sh b/Helmsman/hooks/esignet-1.7.1/esignet-demo-oidc-partner-onboarder-postinstall.sh
new file mode 100755
index 00000000..523aedc0
--- /dev/null
+++ b/Helmsman/hooks/esignet-1.7.1/esignet-demo-oidc-partner-onboarder-postinstall.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+# =============================================================================
+# eSignet 1.7.1 - Demo OIDC Partner Onboarder Post-install
+# =============================================================================
+# Post-install validation after demo OIDC partner onboarding.
+# =============================================================================
+set -euo pipefail
+
+echo "================================================"
+echo "eSignet 1.7.1 - Demo OIDC Partner Onboarder Post-install"
+echo "================================================"
+
+# Check onboarding job status
+JOB_STATUS=$(kubectl -n esignet get jobs -l app.kubernetes.io/instance=esignet-demo-oidc-partner-onboarder -o jsonpath='{.items[0].status.succeeded}' 2>/dev/null || echo "")
+
+if [ "$JOB_STATUS" = "1" ]; then
+  echo "Demo OIDC partner onboarding completed successfully."
+else
+  echo "WARNING: Demo OIDC partner onboarding job may not have completed. Check logs."
+  kubectl -n esignet logs -l app.kubernetes.io/instance=esignet-demo-oidc-partner-onboarder --tail=20 2>/dev/null || true
+fi
+
+echo "Demo OIDC partner onboarder post-install completed."
diff --git a/Helmsman/hooks/esignet-1.7.1/esignet-demo-oidc-partner-onboarder-preinstall.sh b/Helmsman/hooks/esignet-1.7.1/esignet-demo-oidc-partner-onboarder-preinstall.sh
new file mode 100755
index 00000000..71170cdf
--- /dev/null
+++ b/Helmsman/hooks/esignet-1.7.1/esignet-demo-oidc-partner-onboarder-preinstall.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+# =============================================================================
+# eSignet 1.7.1 - Demo OIDC Partner Onboarder Pre-install
+# =============================================================================
+# Prepares for demo OIDC partner onboarding.
+# =============================================================================
+set -euo pipefail
+
+echo "================================================"
+echo "eSignet 1.7.1 - Demo OIDC Partner Onboarder Pre-install"
+echo "================================================"
+
+# Ensure esignet namespace exists
+kubectl create namespace esignet --dry-run=client -o yaml | kubectl apply -f -
+
+# Verify eSignet service is running
+kubectl -n esignet wait --for=condition=ready pod -l app.kubernetes.io/name=esignet --timeout=300s 2>/dev/null || \
+  echo "WARNING: eSignet pods not ready. Demo OIDC partner onboarding may fail."
+
+echo "Demo OIDC partner onboarder pre-install completed."
diff --git a/Helmsman/hooks/esignet-1.7.1/esignet-init-db.sh b/Helmsman/hooks/esignet-1.7.1/esignet-init-db.sh
new file mode 100755
index 00000000..6e44ef3d
--- /dev/null
+++ b/Helmsman/hooks/esignet-1.7.1/esignet-init-db.sh
@@ -0,0 +1,45 @@
+#!/bin/bash
+# =============================================================================
+# eSignet 1.7.1 - Database Init Pre-install (postgres-init-esignet)
+# =============================================================================
+# Based on: deploy/postgres/postgres-init.sh
+# Copies postgres secrets from postgres namespace to esignet namespace
+# before the postgres-init helm chart runs DB initialization.
+#
+# Environment Variables:
+#   ESIGNET_NS   - eSignet namespace (default: esignet)
+# =============================================================================
+set -euo pipefail
+
+ESIGNET_NS="${ESIGNET_NS:-esignet}"
+POSTGRES_NS="postgres"
+
+echo "================================================"
+echo "eSignet 1.7.1 - Database Init Pre-install"
+echo "================================================"
+
+# --- Step 1: Ensure esignet namespace exists with istio ---
+kubectl create namespace "$ESIGNET_NS" --dry-run=client -o yaml | kubectl apply -f -
+kubectl label namespace "$ESIGNET_NS" istio-injection=enabled --overwrite
+
+# --- Step 2: Copy postgres-postgresql secret from postgres to esignet ---
+# Source: deploy/postgres/postgres-init.sh -> ../copy_cm_func.sh secret postgres-postgresql postgres esignet
+echo "Copying postgres-postgresql secret to $ESIGNET_NS namespace"
+kubectl -n "$POSTGRES_NS" get secret postgres-postgresql -o yaml | \
+  sed "s|^\(\s*namespace:\) $POSTGRES_NS$|\1 $ESIGNET_NS|" | \
+  kubectl apply -f -
+
+# --- Step 3: Copy db-common-secrets from postgres to esignet ---
+# Source: deploy/postgres/postgres-init.sh -> ../copy_cm_func.sh secret db-common-secrets postgres esignet
+echo "Copying db-common-secrets to $ESIGNET_NS namespace"
+kubectl -n "$POSTGRES_NS" get secret db-common-secrets -o yaml | \
+  sed "s|^\(\s*namespace:\) $POSTGRES_NS$|\1 $ESIGNET_NS|" | \
+  kubectl apply -f -
+
+# --- Step 4: Copy postgres-config configmap from postgres to esignet ---
+echo "Copying postgres-config configmap to $ESIGNET_NS namespace"
+kubectl -n "$POSTGRES_NS" get configmap postgres-config -o yaml | \
+  sed "s|^\(\s*namespace:\) $POSTGRES_NS$|\1 $ESIGNET_NS|" | \
+  kubectl apply -f -
+
+echo "Database init pre-install completed."
diff --git a/Helmsman/hooks/esignet-1.7.1/esignet-partner-onboarder-postinstall.sh b/Helmsman/hooks/esignet-1.7.1/esignet-partner-onboarder-postinstall.sh
new file mode 100755
index 00000000..14ba9128
--- /dev/null
+++ b/Helmsman/hooks/esignet-1.7.1/esignet-partner-onboarder-postinstall.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+# =============================================================================
+# eSignet 1.7.1 - Partner Onboarder Post-install
+# =============================================================================
+# Post-install cleanup and validation after partner onboarding.
+# =============================================================================
+set -euo pipefail
+
+echo "================================================"
+echo "eSignet 1.7.1 - Partner Onboarder Post-install"
+echo "================================================"
+
+# Check onboarding job status
+JOB_STATUS=$(kubectl -n esignet get jobs -l app.kubernetes.io/instance=esignet-resident-oidc-partner-onboarder -o jsonpath='{.items[0].status.succeeded}' 2>/dev/null || echo "")
+
+if [ "$JOB_STATUS" = "1" ]; then
+  echo "Partner onboarding completed successfully."
+else
+  echo "WARNING: Partner onboarding job may not have completed. Check logs."
+  kubectl -n esignet logs -l app.kubernetes.io/instance=esignet-resident-oidc-partner-onboarder --tail=20 2>/dev/null || true
+fi
+
+echo "Partner onboarder post-install completed."
diff --git a/Helmsman/hooks/esignet-1.7.1/esignet-partner-onboarder-preinstall.sh b/Helmsman/hooks/esignet-1.7.1/esignet-partner-onboarder-preinstall.sh
new file mode 100755
index 00000000..aca06794
--- /dev/null
+++ b/Helmsman/hooks/esignet-1.7.1/esignet-partner-onboarder-preinstall.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+# =============================================================================
+# eSignet 1.7.1 - Partner Onboarder Pre-install
+# =============================================================================
+# Prepares for eSignet + Resident OIDC partner onboarding.
+# =============================================================================
+set -euo pipefail
+
+echo "================================================"
+echo "eSignet 1.7.1 - Partner Onboarder Pre-install"
+echo "================================================"
+
+# Ensure esignet namespace exists
+kubectl create namespace esignet --dry-run=client -o yaml | kubectl apply -f -
+
+# Verify eSignet service is running
+kubectl -n esignet wait --for=condition=ready pod -l app.kubernetes.io/name=esignet --timeout=300s 2>/dev/null || \
+  echo "WARNING: eSignet pods not ready. Partner onboarding may fail."
+
+# Verify Keycloak is accessible
+if kubectl -n keycloak get svc keycloak &>/dev/null; then
+  echo "Keycloak service found."
+else
+  echo "WARNING: Keycloak service not found. Partner onboarding requires Keycloak."
+fi
+
+echo "Partner onboarder pre-install completed."
diff --git a/Helmsman/hooks/esignet-1.7.1/esignet-preinstall.sh b/Helmsman/hooks/esignet-1.7.1/esignet-preinstall.sh
new file mode 100755
index 00000000..73a2076c
--- /dev/null
+++ b/Helmsman/hooks/esignet-1.7.1/esignet-preinstall.sh
@@ -0,0 +1,94 @@
+#!/bin/bash
+# =============================================================================
+# eSignet 1.7.1 - eSignet Service Pre-install
+# =============================================================================
+# Based on: deploy/esignet/install.sh
+# Prepares esignet namespace with all required configmaps and secrets
+# (softhsm, postgres, redis) before eSignet helm chart deployment.
+#
+# Environment Variables:
+#   ESIGNET_NS            - eSignet namespace (default: esignet)
+#   ENABLE_INSECURE       - Set to "true" if no valid SSL (default: false)
+#   SERVICE_MONITOR_FLAG  - Enable prometheus service monitor (default: false)
+# =============================================================================
+set -euo pipefail
+
+ESIGNET_NS="${ESIGNET_NS:-esignet}"
+SOFTHSM_NS="${SOFTHSM_NS:-softhsm}"
+POSTGRES_NS="postgres"
+REDIS_NS="redis"
+
+echo "================================================"
+echo "eSignet 1.7.1 - eSignet Service Pre-install"
+echo "================================================"
+
+# --- Step 1: Ensure esignet namespace exists with istio ---
+echo "Setting up $ESIGNET_NS namespace"
+kubectl create namespace "$ESIGNET_NS" --dry-run=client -o yaml | kubectl apply -f -
+kubectl label namespace "$ESIGNET_NS" istio-injection=enabled --overwrite
+
+# --- Step 2: Update helm repos ---
+helm repo add mosip https://mosip.github.io/mosip-helm || true
+helm repo update
+
+# --- Step 3: Copy configmaps from other namespaces ---
+# Source: deploy/esignet/install.sh -> copy_cm_func.sh calls
+
+# Copy esignet-softhsm-share configmap from softhsm namespace
+echo "Copying esignet-softhsm-share configmap from $SOFTHSM_NS"
+if kubectl -n "$SOFTHSM_NS" get configmap esignet-softhsm-share &>/dev/null; then
+  kubectl -n "$ESIGNET_NS" delete --ignore-not-found=true configmap esignet-softhsm-share
+  kubectl -n "$SOFTHSM_NS" get configmap esignet-softhsm-share -o yaml | \
+    sed "s|^\(\s*namespace:\) $SOFTHSM_NS$|\1 $ESIGNET_NS|" | \
+    kubectl -n "$ESIGNET_NS" create -f -
+else
+  echo "WARNING: esignet-softhsm-share configmap not found in $SOFTHSM_NS"
+fi
+
+# Copy postgres-config configmap from postgres namespace
+echo "Copying postgres-config configmap from $POSTGRES_NS"
+if kubectl -n "$POSTGRES_NS" get configmap postgres-config &>/dev/null; then
+  kubectl -n "$ESIGNET_NS" delete --ignore-not-found=true configmap postgres-config
+  kubectl -n "$POSTGRES_NS" get configmap postgres-config -o yaml | \
+    sed "s|^\(\s*namespace:\) $POSTGRES_NS$|\1 $ESIGNET_NS|" | \
+    kubectl -n "$ESIGNET_NS" create -f -
+else
+  echo "WARNING: postgres-config configmap not found in $POSTGRES_NS"
+fi
+
+# Copy redis-config configmap from redis namespace
+echo "Copying redis-config configmap from $REDIS_NS"
+if kubectl -n "$REDIS_NS" get configmap redis-config &>/dev/null; then
+  kubectl -n "$ESIGNET_NS" delete --ignore-not-found=true configmap redis-config
+  kubectl -n "$REDIS_NS" get configmap redis-config -o yaml | \
+    sed "s|^\(\s*namespace:\) $REDIS_NS$|\1 $ESIGNET_NS|" | \
+    kubectl -n "$ESIGNET_NS" create -f -
+else
+  echo "WARNING: redis-config configmap not found in $REDIS_NS"
+fi
+
+# --- Step 4: Copy secrets from other namespaces ---
+
+# Copy esignet-softhsm secret from softhsm namespace
+echo "Copying esignet-softhsm secret from $SOFTHSM_NS"
+if kubectl -n "$SOFTHSM_NS" get secret esignet-softhsm &>/dev/null; then
+  kubectl -n "$ESIGNET_NS" delete --ignore-not-found=true secret esignet-softhsm
+  kubectl -n "$SOFTHSM_NS" get secret esignet-softhsm -o yaml | \
+    sed "s|^\(\s*namespace:\) $SOFTHSM_NS$|\1 $ESIGNET_NS|" | \
+    kubectl -n "$ESIGNET_NS" create -f -
+else
+  echo "WARNING: esignet-softhsm secret not found in $SOFTHSM_NS"
+fi
+
+# Copy redis secret from redis namespace
+echo "Copying redis secret from $REDIS_NS"
+if kubectl -n "$REDIS_NS" get secret redis &>/dev/null; then
+  kubectl -n "$ESIGNET_NS" delete --ignore-not-found=true secret redis
+  kubectl -n "$REDIS_NS" get secret redis -o yaml | \
+    sed "s|^\(\s*namespace:\) $REDIS_NS$|\1 $ESIGNET_NS|" | \
+    kubectl -n "$ESIGNET_NS" create -f -
+else
+  echo "WARNING: redis secret not found in $REDIS_NS"
+fi
+
+echo "eSignet pre-install completed. All configmaps and secrets copied."
diff --git a/Helmsman/hooks/esignet-1.7.1/kafka-postinstall.sh b/Helmsman/hooks/esignet-1.7.1/kafka-postinstall.sh
new file mode 100755
index 00000000..a3c3ae77
--- /dev/null
+++ b/Helmsman/hooks/esignet-1.7.1/kafka-postinstall.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+# =============================================================================
+# eSignet 1.7.1 - Kafka Post-install
+# =============================================================================
+# Based on: deploy/install-prereq.sh (kafka section)
+# Creates kafka-config configmap in esignet namespace after Kafka deployment.
+#
+# Environment Variables:
+#   KAFKA_URL    - Kafka bootstrap servers URL (default: internal kafka cluster)
+#   ESIGNET_NS   - eSignet namespace (default: esignet)
+# =============================================================================
+set -euo pipefail
+
+ESIGNET_NS="${ESIGNET_NS:-esignet}"
+KAFKA_URL="${KAFKA_URL:-kafka-0.kafka-headless.kafka.svc.cluster.local:9092,kafka-1.kafka-headless.kafka.svc.cluster.local:9092,kafka-2.kafka-headless.kafka.svc.cluster.local:9092}"
+
+echo "================================================"
+echo "eSignet 1.7.1 - Kafka Post-install"
+echo "================================================"
+
+# --- Create kafka-config configmap in esignet namespace ---
+# Source: deploy/install-prereq.sh - kafka configmap creation
+echo "Creating kafka-config configmap in $ESIGNET_NS namespace"
+kubectl -n "$ESIGNET_NS" create configmap kafka-config \
+  --from-literal=SPRING_KAFKA_BOOTSTRAP-SERVERS="$KAFKA_URL" \
+  --dry-run=client -o yaml | kubectl apply -f -
+
+echo "Kafka post-install completed."
diff --git a/Helmsman/hooks/esignet-1.7.1/keycloak-postinstall.sh b/Helmsman/hooks/esignet-1.7.1/keycloak-postinstall.sh
new file mode 100755
index 00000000..77d65b12
--- /dev/null
+++ b/Helmsman/hooks/esignet-1.7.1/keycloak-postinstall.sh
@@ -0,0 +1,139 @@
+#!/bin/bash
+# =============================================================================
+# eSignet 1.7.1 - Keycloak Post-install (Keycloak Init)
+# =============================================================================
+# Based on: deploy/keycloak/keycloak-init.sh + deploy/initialise-prereq.sh
+# Copies keycloak configmaps/secrets to esignet namespace and runs
+# keycloak-init helm chart to create eSignet-specific clients and roles.
+#
+# Environment Variables:
+#   INSTALLATION_DOMAIN      - Base domain (default: sandbox.xyz.net)
+#   KEYCLOAK_INIT_VERSION    - keycloak-init chart version (default: 12.0.2)
+#   ESIGNET_NS               - eSignet namespace (default: esignet)
+# =============================================================================
+set -euo pipefail
+
+ESIGNET_NS="${ESIGNET_NS:-esignet}"
+KEYCLOAK_NS="keycloak"
+CHART_VERSION="${KEYCLOAK_INIT_VERSION:-12.0.2}"
+INSTALLATION_DOMAIN="${INSTALLATION_DOMAIN:-sandbox.xyz.net}"
+IAMHOST_URL="iam.${INSTALLATION_DOMAIN}"
+
+echo "================================================"
+echo "eSignet 1.7.1 - Keycloak Post-install (Init)"
+echo "================================================"
+
+# --- Step 1: Copy keycloak configmaps and secrets to esignet namespace ---
+# Source: deploy/keycloak/keycloak-init.sh - copy_cm_func.sh calls
+echo "Copying keycloak configmaps and secrets to $ESIGNET_NS namespace"
+
+# Copy keycloak-host configmap
+if kubectl -n "$KEYCLOAK_NS" get configmap keycloak-host &>/dev/null; then
+  kubectl -n "$KEYCLOAK_NS" get configmap keycloak-host -o yaml | \
+    sed "s/namespace: $KEYCLOAK_NS/namespace: $ESIGNET_NS/g" | \
+    kubectl apply -f -
+  echo "keycloak-host configmap copied."
+else
+  # Create keycloak-host configmap if keycloak didn't create it
+  echo "Creating keycloak-host configmap"
+  kubectl -n "$ESIGNET_NS" create configmap keycloak-host \
+    --from-literal=keycloak-external-url="https://$IAMHOST_URL" \
+    --from-literal=keycloak-internal-url="http://keycloak.$KEYCLOAK_NS" \
+    --dry-run=client -o yaml | kubectl apply -f -
+fi
+
+# Copy keycloak-env-vars configmap
+if kubectl -n "$KEYCLOAK_NS" get configmap keycloak-env-vars &>/dev/null; then
+  kubectl -n "$KEYCLOAK_NS" get configmap keycloak-env-vars -o yaml | \
+    sed "s/namespace: $KEYCLOAK_NS/namespace: $ESIGNET_NS/g" | \
+    kubectl apply -f -
+  echo "keycloak-env-vars configmap copied."
+fi
+
+# Copy keycloak secret
+if kubectl -n "$KEYCLOAK_NS" get secret keycloak &>/dev/null; then
+  kubectl -n "$KEYCLOAK_NS" get secret keycloak -o yaml | \
+    sed "s/namespace: $KEYCLOAK_NS/namespace: $ESIGNET_NS/g" | \
+    kubectl apply -f -
+  echo "keycloak secret copied."
+fi
+
+# --- Step 2: Read existing client secrets if any ---
+# Source: deploy/keycloak/keycloak-init.sh - reading existing secrets
+echo "Checking for existing keycloak-client-secrets"
+HELM_SET_SECRETS=()
+
+escape_helm_value() {
+  local value="$1"
+  value="${value//\\/\\\\}"
+  value="${value//,/\\,}"
+  value="${value//=/\\=}"
+  printf '%s' "$value"
+}
+
+declare -A SECRET_KEYS=(
+  ["mosip_pms_client_secret"]="0"
+  ["mpartner_default_auth_secret"]="1"
+  ["mosip_ida_client_secret"]="2"
+  ["mosip_deployment_client_secret"]="3"
+  ["mpartner_default_mobile_secret"]="4"
+)
+
+if kubectl -n "$KEYCLOAK_NS" get secret keycloak-client-secrets &>/dev/null; then
+  echo "Found existing keycloak-client-secrets. Preserving client secrets."
+  for key in "${!SECRET_KEYS[@]}"; do
+    idx="${SECRET_KEYS[$key]}"
+    val=$(kubectl -n "$KEYCLOAK_NS" get secret keycloak-client-secrets \
+      -o jsonpath="{.data.$key}" 2>/dev/null | base64 -d 2>/dev/null || echo "")
+    if [[ -n "$val" ]]; then
+      HELM_SET_SECRETS+=(
+        --set-string "clientSecrets[$idx].name=$key"
+        --set-string "clientSecrets[$idx].secret=$(escape_helm_value "$val")"
+      )
+    fi
+  done
+else
+  echo "No existing keycloak-client-secrets found. Fresh install."
+fi
+
+# --- Step 3: Run keycloak-init helm chart ---
+# Source: deploy/keycloak/keycloak-init.sh - helm install keycloak-init
+echo "Installing esignet-keycloak-init"
+helm repo add mosip https://mosip.github.io/mosip-helm || true
+helm repo update
+
+kubectl -n "$ESIGNET_NS" delete secret --ignore-not-found=true keycloak-client-secrets
+helm -n "$ESIGNET_NS" delete esignet-keycloak-init 2>/dev/null || true
+
+helm -n "$ESIGNET_NS" install esignet-keycloak-init mosip/keycloak-init \
+  ${HELM_SET_SECRETS[@]+"${HELM_SET_SECRETS[@]}"} \
+  --set keycloak.realms.mosip.realm_config.attributes.frontendUrl="https://$IAMHOST_URL/auth" \
+  --set keycloakInternalHost="keycloak.$KEYCLOAK_NS" \
+  --set keycloakExternalHost="$IAMHOST_URL" \
+  --version "$CHART_VERSION" --wait --wait-for-jobs
+
+# --- Step 4: Sync updated client secrets back to keycloak namespace ---
+# Source: deploy/keycloak/keycloak-init.sh - secret sync back
+echo "Syncing keycloak-client-secrets back to $KEYCLOAK_NS namespace"
+if kubectl -n "$ESIGNET_NS" get secret keycloak-client-secrets &>/dev/null; then
+  if kubectl -n "$KEYCLOAK_NS" get secret keycloak-client-secrets &>/dev/null; then
+    # Update existing secret in keycloak namespace
+    for key in "${!SECRET_KEYS[@]}"; do
+      val=$(kubectl -n "$ESIGNET_NS" get secret keycloak-client-secrets \
+        -o jsonpath="{.data.$key}" 2>/dev/null || echo "")
+      if [[ -n "$val" ]]; then
+        kubectl -n "$KEYCLOAK_NS" get secret keycloak-client-secrets -o json | \
+          jq --arg k "$key" --arg v "$val" '.data[$k]=$v' | \
+          kubectl apply -f -
+      fi
+    done
+  else
+    # Copy entire secret to keycloak namespace
+    kubectl -n "$ESIGNET_NS" get secret keycloak-client-secrets -o yaml | \
+      sed "s/namespace: $ESIGNET_NS/namespace: $KEYCLOAK_NS/g" | \
+      kubectl apply -f -
+  fi
+  echo "keycloak-client-secrets synced to $KEYCLOAK_NS namespace."
+fi
+
+echo "Keycloak post-install (init) completed."
diff --git a/Helmsman/hooks/esignet-1.7.1/mock-identity-system-preinstall.sh b/Helmsman/hooks/esignet-1.7.1/mock-identity-system-preinstall.sh
new file mode 100755
index 00000000..0637202b
--- /dev/null
+++ b/Helmsman/hooks/esignet-1.7.1/mock-identity-system-preinstall.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+# =============================================================================
+# eSignet 1.7.1 - Mock Identity System Pre-install
+# =============================================================================
+# Prepares esignet namespace for mock identity system deployment.
+# =============================================================================
+set -euo pipefail
+
+echo "================================================"
+echo "eSignet 1.7.1 - Mock Identity System Pre-install"
+echo "================================================"
+
+# Ensure esignet namespace exists
+kubectl create namespace esignet --dry-run=client -o yaml | kubectl apply -f -
+
+# Verify SoftHSM mock identity configmap exists in esignet namespace
+if kubectl -n esignet get configmap softhsm-mock-identity-system-share &>/dev/null; then
+  echo "SoftHSM mock identity system configmap found."
+else
+  echo "ERROR: softhsm-mock-identity-system-share configmap not found in esignet namespace."
+  echo "Deploy/copy this shared ConfigMap before running mock identity system install."
+  exit 1
+fi
+
+echo "Mock identity system pre-install completed."
diff --git a/Helmsman/hooks/esignet-1.7.1/mock-relying-party-service-preinstall.sh b/Helmsman/hooks/esignet-1.7.1/mock-relying-party-service-preinstall.sh
new file mode 100755
index 00000000..3077072e
--- /dev/null
+++ b/Helmsman/hooks/esignet-1.7.1/mock-relying-party-service-preinstall.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+# =============================================================================
+# eSignet 1.7.1 - Mock Relying Party Service Pre-install
+# =============================================================================
+# Prepares for mock relying party service deployment.
+# =============================================================================
+set -euo pipefail
+
+echo "================================================"
+echo "eSignet 1.7.1 - Mock Relying Party Service Pre-install"
+echo "================================================"
+
+# Ensure esignet namespace exists
+kubectl create namespace esignet --dry-run=client -o yaml | kubectl apply -f -
+
+# Verify eSignet service is available
+if kubectl -n esignet get svc esignet &>/dev/null; then
+  echo "eSignet service found."
+else
+  echo "WARNING: eSignet service not found. Mock relying party service needs eSignet to be running."
+fi
+
+echo "Mock relying party service pre-install completed."
diff --git a/Helmsman/hooks/esignet-1.7.1/mock-relying-party-ui-preinstall.sh b/Helmsman/hooks/esignet-1.7.1/mock-relying-party-ui-preinstall.sh
new file mode 100755
index 00000000..e16d43f8
--- /dev/null
+++ b/Helmsman/hooks/esignet-1.7.1/mock-relying-party-ui-preinstall.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+# =============================================================================
+# eSignet 1.7.1 - Mock Relying Party UI Pre-install
+# =============================================================================
+# Prepares for mock relying party UI deployment.
+# =============================================================================
+set -euo pipefail
+
+echo "================================================"
+echo "eSignet 1.7.1 - Mock Relying Party UI Pre-install"
+echo "================================================"
+
+# Ensure esignet namespace exists
+kubectl create namespace esignet --dry-run=client -o yaml | kubectl apply -f -
+
+# Verify mock relying party service is available
+if kubectl -n esignet get svc mock-relying-party-service &>/dev/null; then
+  echo "Mock relying party service found."
+else
+  echo "WARNING: Mock relying party service not found. UI depends on the service being deployed."
+fi
+
+echo "Mock relying party UI pre-install completed."
diff --git a/Helmsman/hooks/esignet-1.7.1/oidc-ui-preinstall.sh b/Helmsman/hooks/esignet-1.7.1/oidc-ui-preinstall.sh
new file mode 100755
index 00000000..63cc2e0d
--- /dev/null
+++ b/Helmsman/hooks/esignet-1.7.1/oidc-ui-preinstall.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+# =============================================================================
+# eSignet 1.7.1 - OIDC UI Pre-install
+# =============================================================================
+# Based on: deploy/oidc-ui/install.sh
+# Waits for eSignet service readiness before deploying OIDC UI.
+# Theme, language, and provider name are configured via DSF helm set values.
+#
+# Environment Variables:
+#   ESIGNET_NS   - eSignet namespace (default: esignet)
+# =============================================================================
+set -euo pipefail
+
+ESIGNET_NS="${ESIGNET_NS:-esignet}"
+
+echo "================================================"
+echo "eSignet 1.7.1 - OIDC UI Pre-install"
+echo "================================================"
+
+# --- Step 1: Ensure esignet namespace exists ---
+kubectl create namespace "$ESIGNET_NS" --dry-run=client -o yaml | kubectl apply -f -
+kubectl label namespace "$ESIGNET_NS" istio-injection=enabled --overwrite
+
+# --- Step 2: Update helm repos ---
+helm repo add mosip https://mosip.github.io/mosip-helm || true
+helm repo update
+
+# --- Step 3: Wait for eSignet service to be available ---
+# Source: deploy/oidc-ui/install.sh - eSignet must be running before OIDC UI
+echo "Waiting for eSignet service to be ready..."
+kubectl -n "$ESIGNET_NS" wait --for=condition=ready pod -l app.kubernetes.io/name=esignet --timeout=300s 2>/dev/null || \
+  echo "WARNING: eSignet pods not yet ready. OIDC UI may need to retry connections."
+
+echo "OIDC UI pre-install completed."
diff --git a/Helmsman/hooks/esignet-1.7.1/postgres-postinstall.sh b/Helmsman/hooks/esignet-1.7.1/postgres-postinstall.sh
new file mode 100755
index 00000000..6b78bb46
--- /dev/null
+++ b/Helmsman/hooks/esignet-1.7.1/postgres-postinstall.sh
@@ -0,0 +1,47 @@
+#!/bin/bash
+# =============================================================================
+# eSignet 1.7.1 - Postgres Post-install
+# =============================================================================
+# Based on: deploy/postgres/generate-secret-cm.py
+# Creates postgres secrets (db-common-secrets) and configmap (postgres-config)
+# after PostgreSQL helm chart deployment. Replaces interactive Python script
+# with environment variable driven approach.
+#
+# Environment Variables:
+#   DB_USER_PASSWORD     - Database user password (REQUIRED)
+#   POSTGRES_HOST        - PostgreSQL host (default: postgres-postgresql.postgres)
+#   POSTGRES_PORT        - PostgreSQL port (default: 5432)
+#   DB_USER              - Database username (default: esignetuser)
+#   DB_NAME              - Database name (default: mosip_esignet)
+# =============================================================================
+set -euo pipefail
+
+POSTGRES_NS="postgres"
+DB_USER_PASSWORD="${DB_USER_PASSWORD:?ERROR: DB_USER_PASSWORD environment variable must be set}"
+POSTGRES_HOST="${POSTGRES_HOST:-postgres-postgresql.postgres}"
+POSTGRES_PORT="${POSTGRES_PORT:-5432}"
+DB_USER="${DB_USER:-esignetuser}"
+DB_NAME="${DB_NAME:-mosip_esignet}"
+
+echo "================================================"
+echo "eSignet 1.7.1 - Postgres Post-install"
+echo "================================================"
+
+# --- Step 1: Create db-common-secrets ---
+# Source: deploy/postgres/generate-secret-cm.py -> create_or_update_secret()
+echo "Creating db-common-secrets in $POSTGRES_NS namespace"
+kubectl -n "$POSTGRES_NS" create secret generic db-common-secrets \
+  --from-literal=db-dbuser-password="$DB_USER_PASSWORD" \
+  --dry-run=client -o yaml | kubectl apply -f -
+
+# --- Step 2: Create postgres-config configmap ---
+# Source: deploy/postgres/generate-secret-cm.py -> create_or_update_configmap()
+echo "Creating postgres-config configmap in $POSTGRES_NS namespace"
+kubectl -n "$POSTGRES_NS" create configmap postgres-config \
+  --from-literal=database-host="$POSTGRES_HOST" \
+  --from-literal=database-port="$POSTGRES_PORT" \
+  --from-literal=database-username="$DB_USER" \
+  --from-literal=database-name="$DB_NAME" \
+  --dry-run=client -o yaml | kubectl apply -f -
+
+echo "Postgres post-install completed. Secrets and configmaps created."
diff --git a/Helmsman/hooks/esignet-1.7.1/postgres-preinstall.sh b/Helmsman/hooks/esignet-1.7.1/postgres-preinstall.sh
new file mode 100755
index 00000000..6c3417c8
--- /dev/null
+++ b/Helmsman/hooks/esignet-1.7.1/postgres-preinstall.sh
@@ -0,0 +1,54 @@
+#!/bin/bash
+# =============================================================================
+# eSignet 1.7.1 - Postgres Pre-install
+# =============================================================================
+# Based on: deploy/install-prereq.sh
+# Creates esignet namespace, applies esignet-global configmap, and prepares
+# postgres namespace before PostgreSQL helm chart deployment.
+#
+# Environment Variables:
+#   INSTALLATION_DOMAIN  - Base domain (default: sandbox.xyz.net)
+#   ESIGNET_NS           - eSignet namespace (default: esignet)
+# =============================================================================
+set -euo pipefail
+
+ESIGNET_NS="${ESIGNET_NS:-esignet}"
+INSTALLATION_DOMAIN="${INSTALLATION_DOMAIN:-sandbox.xyz.net}"
+
+echo "================================================"
+echo "eSignet 1.7.1 - Postgres Pre-install"
+echo "================================================"
+
+# --- Step 1: Create esignet namespace (referenced by esignet-global configmap) ---
+echo "Creating $ESIGNET_NS namespace"
+kubectl create namespace "$ESIGNET_NS" --dry-run=client -o yaml | kubectl apply -f -
+kubectl label namespace "$ESIGNET_NS" istio-injection=enabled --overwrite
+
+# --- Step 2: Apply esignet-global configmap ---
+# Source: deploy/esignet-global-cm.yaml.sample
+echo "Applying esignet-global configmap in $ESIGNET_NS namespace"
+cat <<EOF | kubectl apply -f -
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: esignet-global
+  namespace: ${ESIGNET_NS}
+data:
+  mosip-version: "1.7.1"
+  installation-domain: "${INSTALLATION_DOMAIN}"
+  mosip-api-host: "api.${INSTALLATION_DOMAIN}"
+  mosip-iam-external-host: "iam.${INSTALLATION_DOMAIN}"
+  mosip-api-internal-host: "api-internal.${INSTALLATION_DOMAIN}"
+  mosip-kafka-host: "kafka.${INSTALLATION_DOMAIN}"
+  mosip-esignet-host: "esignet.${INSTALLATION_DOMAIN}"
+  mosip-postgres-host: "postgres.${INSTALLATION_DOMAIN}"
+  mosip-signup-host: "signup.${INSTALLATION_DOMAIN}"
+  mosip-smtp-host: "smtp.${INSTALLATION_DOMAIN}"
+EOF
+
+# --- Step 3: Prepare postgres namespace ---
+echo "Creating postgres namespace"
+kubectl create namespace postgres --dry-run=client -o yaml | kubectl apply -f -
+kubectl label namespace postgres istio-injection=enabled --overwrite
+
+echo "Postgres pre-install completed."
diff --git a/Helmsman/hooks/esignet-1.7.1/redis-setup.sh b/Helmsman/hooks/esignet-1.7.1/redis-setup.sh
new file mode 100755
index 00000000..f0ef8577
--- /dev/null
+++ b/Helmsman/hooks/esignet-1.7.1/redis-setup.sh
@@ -0,0 +1,56 @@
+#!/bin/bash
+# =============================================================================
+# eSignet 1.7.1 - Redis Post-install Setup
+# =============================================================================
+# Based on: deploy/redis/install.sh + deploy/install-prereq.sh (redis section)
+# Creates redis-config configmap and shares Redis credentials with the
+# esignet namespace after Redis deployment.
+#
+# Environment Variables:
+#   ESIGNET_NS   - eSignet namespace (default: esignet)
+# =============================================================================
+set -euo pipefail
+
+ESIGNET_NS="${ESIGNET_NS:-esignet}"
+REDIS_NS="redis"
+
+echo "================================================"
+echo "eSignet 1.7.1 - Redis Post-install Setup"
+echo "================================================"
+
+# --- Step 1: Wait for Redis to be ready ---
+echo "Waiting for Redis pods to be ready..."
+kubectl -n "$REDIS_NS" wait --for=condition=ready pod -l app.kubernetes.io/name=redis --timeout=300s || \
+  echo "WARNING: Redis pods not ready after timeout, continuing"
+
+# --- Step 2: Apply redis-config configmap in redis namespace ---
+# Source: deploy/redis/redis-config.yaml
+echo "Creating redis-config configmap in $REDIS_NS namespace"
+cat <<EOF | kubectl apply -f -
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: redis-config
+  namespace: ${REDIS_NS}
+  labels:
+    app: redis
+data:
+  redis-host: "redis-master-0.redis-headless.redis.svc.cluster.local"
+  redis-port: "6379"
+EOF
+
+# --- Step 3: Copy redis-config configmap to esignet namespace ---
+# Source: deploy/esignet/install.sh -> ../copy_cm_func.sh configmap redis-config redis esignet
+echo "Copying redis-config configmap to $ESIGNET_NS namespace"
+kubectl -n "$REDIS_NS" get configmap redis-config -o yaml | \
+  sed "s/namespace: $REDIS_NS/namespace: $ESIGNET_NS/g" | \
+  kubectl apply -f -
+
+# --- Step 4: Copy redis secret to esignet namespace ---
+# Source: deploy/esignet/install.sh -> ../copy_cm_func.sh secret redis redis esignet
+echo "Copying redis secret to $ESIGNET_NS namespace"
+kubectl -n "$REDIS_NS" get secret redis -o yaml | \
+  sed "s/namespace: $REDIS_NS/namespace: $ESIGNET_NS/g" | \
+  kubectl apply -f -
+
+echo "Redis setup completed. Config and credentials shared with $ESIGNET_NS namespace."
diff --git a/Helmsman/hooks/esignet-1.7.1/softhsm-esignet-postinstall.sh b/Helmsman/hooks/esignet-1.7.1/softhsm-esignet-postinstall.sh
new file mode 100755
index 00000000..45afddef
--- /dev/null
+++ b/Helmsman/hooks/esignet-1.7.1/softhsm-esignet-postinstall.sh
@@ -0,0 +1,52 @@
+#!/bin/bash
+# =============================================================================
+# eSignet 1.7.1 - SoftHSM eSignet Post-install
+# =============================================================================
+# Based on: deploy/esignet/install.sh (copy_cm_func.sh calls for softhsm)
+# Shares SoftHSM configmap and secrets from softhsm namespace to esignet
+# namespace after SoftHSM deployment.
+#
+# Environment Variables:
+#   SOFTHSM_NS   - SoftHSM namespace (default: softhsm)
+#   ESIGNET_NS   - eSignet namespace (default: esignet)
+# =============================================================================
+set -euo pipefail
+
+SOFTHSM_NS="${SOFTHSM_NS:-softhsm}"
+ESIGNET_NS="${ESIGNET_NS:-esignet}"
+
+echo "================================================"
+echo "eSignet 1.7.1 - SoftHSM eSignet Post-install"
+echo "================================================"
+
+# --- Step 1: Wait for SoftHSM pod to be ready ---
+echo "Waiting for SoftHSM pod to be ready..."
+kubectl -n "$SOFTHSM_NS" wait --for=condition=ready pod -l app.kubernetes.io/instance=esignet-softhsm --timeout=300s || \
+  echo "WARNING: SoftHSM pod not ready yet. Continuing with configmap/secret copy."
+
+# --- Step 2: Copy esignet-softhsm-share configmap to esignet namespace ---
+# Source: deploy/esignet/install.sh -> ../copy_cm_func.sh configmap esignet-softhsm-share softhsm esignet
+echo "Copying esignet-softhsm-share configmap to $ESIGNET_NS namespace"
+if kubectl -n "$SOFTHSM_NS" get configmap esignet-softhsm-share &>/dev/null; then
+  kubectl -n "$SOFTHSM_NS" get configmap esignet-softhsm-share -o yaml | \
+    sed "s/namespace: $SOFTHSM_NS/namespace: $ESIGNET_NS/g" | \
+    kubectl apply -f -
+  echo "esignet-softhsm-share configmap copied."
+else
+  echo "WARNING: esignet-softhsm-share configmap not found in $SOFTHSM_NS."
+  echo "SoftHSM helm chart may create it on first use."
+fi
+
+# --- Step 3: Copy esignet-softhsm secret to esignet namespace ---
+# Source: deploy/esignet/install.sh -> ../copy_cm_func.sh secret esignet-softhsm softhsm esignet
+echo "Copying esignet-softhsm secret to $ESIGNET_NS namespace"
+if kubectl -n "$SOFTHSM_NS" get secret esignet-softhsm &>/dev/null; then
+  kubectl -n "$SOFTHSM_NS" get secret esignet-softhsm -o yaml | \
+    sed "s/namespace: $SOFTHSM_NS/namespace: $ESIGNET_NS/g" | \
+    kubectl apply -f -
+  echo "esignet-softhsm secret copied."
+else
+  echo "WARNING: esignet-softhsm secret not found in $SOFTHSM_NS."
+fi
+
+echo "SoftHSM eSignet post-install completed."
diff --git a/Helmsman/hooks/esignet-1.7.1/softhsm-esignet-setup.sh b/Helmsman/hooks/esignet-1.7.1/softhsm-esignet-setup.sh
new file mode 100755
index 00000000..5bcb61cc
--- /dev/null
+++ b/Helmsman/hooks/esignet-1.7.1/softhsm-esignet-setup.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+# =============================================================================
+# eSignet 1.7.1 - SoftHSM eSignet Pre-install Setup
+# =============================================================================
+# Based on: deploy/softhsm/install.sh
+# Creates softhsm namespace and prepares for SoftHSM deployment.
+#
+# Environment Variables:
+#   SOFTHSM_NS   - SoftHSM namespace (default: softhsm)
+# =============================================================================
+set -euo pipefail
+
+SOFTHSM_NS="${SOFTHSM_NS:-softhsm}"
+
+echo "================================================"
+echo "eSignet 1.7.1 - SoftHSM eSignet Pre-install"
+echo "================================================"
+
+# --- Create softhsm namespace ---
+echo "Creating $SOFTHSM_NS namespace"
+kubectl create namespace "$SOFTHSM_NS" --dry-run=client -o yaml | kubectl apply -f -
+
+# --- Label namespace for Istio sidecar injection ---
+echo "Applying Istio injection label"
+kubectl label namespace "$SOFTHSM_NS" istio-injection=enabled --overwrite
+
+# --- Update helm repos ---
+echo "Updating helm repos"
+helm repo update
+
+echo "SoftHSM eSignet pre-install setup completed."
diff --git a/Helmsman/hooks/esignet-1.7.1/softhsm-mock-identity-system-postinstall.sh b/Helmsman/hooks/esignet-1.7.1/softhsm-mock-identity-system-postinstall.sh
new file mode 100755
index 00000000..af637117
--- /dev/null
+++ b/Helmsman/hooks/esignet-1.7.1/softhsm-mock-identity-system-postinstall.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+# =============================================================================
+# eSignet 1.7.1 - SoftHSM Mock Identity System Post-install
+# =============================================================================
+# Shares SoftHSM mock identity system configmap with esignet namespace.
+# =============================================================================
+set -euo pipefail
+
+echo "================================================"
+echo "eSignet 1.7.1 - SoftHSM Mock Identity System Post-install"
+echo "================================================"
+
+# Wait for SoftHSM mock identity pod to be ready
+kubectl -n softhsm wait --for=condition=ready pod -l app.kubernetes.io/instance=softhsm-mock-identity-system --timeout=300s 2>/dev/null || \
+  echo "WARNING: SoftHSM mock identity system pod not yet ready."
+
+# Share SoftHSM mock identity configmap with esignet namespace
+MOCK_HSM_PIN=$(kubectl -n softhsm get secret softhsm-mock-identity-system -o jsonpath='{.data.security-pin}' 2>/dev/null || echo "")
+
+if [ -n "$MOCK_HSM_PIN" ]; then
+  kubectl -n esignet create configmap softhsm-mock-identity-system-share \
+    --from-literal=softhsm-pin="$(echo -n "$MOCK_HSM_PIN" | base64 -d)" \
+    --dry-run=client -o yaml | kubectl apply -f -
+  echo "SoftHSM mock identity system credentials shared with esignet namespace."
+else
+  echo "WARNING: SoftHSM mock identity system secret not found."
+fi
+
+echo "SoftHSM mock identity system post-install completed."
diff --git a/Helmsman/hooks/esignet-1.7.1/softhsm-mock-identity-system-preinstall.sh b/Helmsman/hooks/esignet-1.7.1/softhsm-mock-identity-system-preinstall.sh
new file mode 100755
index 00000000..99a1ea0d
--- /dev/null
+++ b/Helmsman/hooks/esignet-1.7.1/softhsm-mock-identity-system-preinstall.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# =============================================================================
+# eSignet 1.7.1 - SoftHSM Mock Identity System Pre-install
+# =============================================================================
+# Prepares SoftHSM for the mock identity system.
+# =============================================================================
+set -euo pipefail
+
+echo "================================================"
+echo "eSignet 1.7.1 - SoftHSM Mock Identity System Pre-install"
+echo "================================================"
+
+# Ensure softhsm namespace exists
+kubectl create namespace softhsm --dry-run=client -o yaml | kubectl apply -f -
+kubectl label namespace softhsm istio-injection=enabled --overwrite
+
+echo "SoftHSM mock identity system pre-install completed."
diff --git a/Helmsman/utils/rancher-loggig-values.yaml b/Helmsman/utils/rancher-logging-values.yaml
similarity index 100%
rename from Helmsman/utils/rancher-loggig-values.yaml
rename to Helmsman/utils/rancher-logging-values.yaml
diff --git a/docs/profile-based-deployment.drawio b/docs/profile-based-deployment.drawio
new file mode 100644
index 00000000..ce7698e9
--- /dev/null
+++ b/docs/profile-based-deployment.drawio
@@ -0,0 +1,152 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<mxfile host="app.diagrams.net" modified="2026-03-12T00:00:00.000Z" agent="copilot" version="24.2.1" type="device">
+  <diagram name="Profile-Based Deployment" id="flow1">
+    <mxGraphModel dx="1422" dy="762" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="1600" pageHeight="1200" math="0" shadow="0">
+      <root>
+        <mxCell id="0"/>
+        <mxCell id="1" parent="0"/>
+        <mxCell id="2" value="Profile-Based Multi-Version Deployment" style="text;html=1;fontSize=20;fontStyle=1;align=center;" parent="1" vertex="1">
+          <mxGeometry x="350" y="10" width="600" height="40" as="geometry"/>
+        </mxCell>
+        <mxCell id="3" value="Manual Dispatch&#10;(workflow_dispatch)" style="shape=hexagon;perimeter=hexagonPerimeter2;whiteSpace=wrap;html=1;fixedSize=1;size=20;fillColor=#dae8fc;strokeColor=#6c8ebf;fontSize=12;fontStyle=1;" parent="1" vertex="1">
+          <mxGeometry x="160" y="70" width="200" height="70" as="geometry"/>
+        </mxCell>
+        <mxCell id="4" value="Git Push Trigger&#10;(dsf/**/*.yaml)" style="shape=hexagon;perimeter=hexagonPerimeter2;whiteSpace=wrap;html=1;fixedSize=1;size=20;fillColor=#dae8fc;strokeColor=#6c8ebf;fontSize=12;fontStyle=1;" parent="1" vertex="1">
+          <mxGeometry x="460" y="70" width="200" height="70" as="geometry"/>
+        </mxCell>
+        <mxCell id="5" value="Profile Detection" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#fff2cc;strokeColor=#d6b656;fontSize=12;fontStyle=1;" parent="1" vertex="1">
+          <mxGeometry x="760" y="75" width="180" height="60" as="geometry"/>
+        </mxCell>
+        <mxCell id="6" style="edgeStyle=orthogonalEdgeStyle;strokeWidth=2;" parent="1" source="3" target="5" edge="1">
+          <mxGeometry relative="1" as="geometry"/>
+        </mxCell>
+        <mxCell id="7" style="edgeStyle=orthogonalEdgeStyle;strokeWidth=2;" parent="1" source="4" target="5" edge="1">
+          <mxGeometry relative="1" as="geometry"/>
+        </mxCell>
+        <mxCell id="10" value="mosip-platform-java11&#10;MOSIP v1.2.1.0" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#d5e8d4;strokeColor=#82b366;fontSize=11;fontStyle=1;" parent="1" vertex="1">
+          <mxGeometry x="100" y="190" width="190" height="50" as="geometry"/>
+        </mxCell>
+        <mxCell id="11" value="mosip-platform-java21&#10;MOSIP v1.3.0" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#d5e8d4;strokeColor=#82b366;fontSize=11;fontStyle=1;" parent="1" vertex="1">
+          <mxGeometry x="340" y="190" width="190" height="50" as="geometry"/>
+        </mxCell>
+        <mxCell id="12" value="esignet&#10;Standalone v1.7.1" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#e1d5e7;strokeColor=#9673a6;fontSize=11;fontStyle=1;" parent="1" vertex="1">
+          <mxGeometry x="580" y="190" width="190" height="50" as="geometry"/>
+        </mxCell>
+        <mxCell id="13" value="future-profile-*" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#f8cecc;strokeColor=#b85450;fontSize=11;fontStyle=2;dashed=1;" parent="1" vertex="1">
+          <mxGeometry x="820" y="190" width="160" height="50" as="geometry"/>
+        </mxCell>
+        <mxCell id="8" style="edgeStyle=orthogonalEdgeStyle;strokeWidth=2;" parent="1" source="5" target="10" edge="1">
+          <mxGeometry relative="1" as="geometry"/>
+        </mxCell>
+        <mxCell id="9" style="edgeStyle=orthogonalEdgeStyle;strokeWidth=2;" parent="1" source="5" target="11" edge="1">
+          <mxGeometry relative="1" as="geometry"/>
+        </mxCell>
+        <mxCell id="14" style="edgeStyle=orthogonalEdgeStyle;strokeWidth=2;" parent="1" source="5" target="12" edge="1">
+          <mxGeometry relative="1" as="geometry"/>
+        </mxCell>
+        <mxCell id="20" value="Flow A: Full MOSIP Platform" style="text;html=1;fontSize=14;fontStyle=5;align=center;fillColor=#d5e8d4;strokeColor=#82b366;rounded=1;" parent="1" vertex="1">
+          <mxGeometry x="50" y="280" width="500" height="30" as="geometry"/>
+        </mxCell>
+        <mxCell id="21" value="Step 1: helmsman_external.yml&#10;prereq-dsf + external-dsf&#10;(Istio, Postgres, Kafka, MinIO, ClamAV, KeyCloak)" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#dae8fc;strokeColor=#6c8ebf;fontSize=11;" parent="1" vertex="1">
+          <mxGeometry x="100" y="330" width="400" height="60" as="geometry"/>
+        </mxCell>
+        <mxCell id="22" value="Step 2: helmsman_mosip.yml&#10;mosip-dsf&#10;(IDA, IDRepo, PMS, PreReg, Kernel, Resident)" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#dae8fc;strokeColor=#6c8ebf;fontSize=11;" parent="1" vertex="1">
+          <mxGeometry x="100" y="420" width="400" height="60" as="geometry"/>
+        </mxCell>
+        <mxCell id="23" value="Step 3: helmsman_esignet.yml&#10;esignet-dsf (v1.4.1)&#10;(eSignet, OIDC UI, Partner Onboarding)" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#dae8fc;strokeColor=#6c8ebf;fontSize=11;" parent="1" vertex="1">
+          <mxGeometry x="100" y="510" width="400" height="60" as="geometry"/>
+        </mxCell>
+        <mxCell id="24" value="Step 4: helmsman_testrigs.yml&#10;testrigs-dsf (pending)" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#dae8fc;strokeColor=#6c8ebf;fontSize=11;dashed=1;" parent="1" vertex="1">
+          <mxGeometry x="100" y="600" width="400" height="50" as="geometry"/>
+        </mxCell>
+        <mxCell id="25" style="edgeStyle=orthogonalEdgeStyle;strokeWidth=2;strokeColor=#82b366;" parent="1" source="10" target="21" edge="1">
+          <mxGeometry relative="1" as="geometry"/>
+        </mxCell>
+        <mxCell id="26" style="edgeStyle=orthogonalEdgeStyle;strokeWidth=2;strokeColor=#82b366;" parent="1" source="11" target="21" edge="1">
+          <mxGeometry relative="1" as="geometry"/>
+        </mxCell>
+        <mxCell id="27" style="edgeStyle=orthogonalEdgeStyle;strokeWidth=2;strokeColor=#82b366;" parent="1" source="21" target="22" edge="1">
+          <mxGeometry relative="1" as="geometry"/>
+        </mxCell>
+        <mxCell id="28" style="edgeStyle=orthogonalEdgeStyle;strokeWidth=2;strokeColor=#82b366;" parent="1" source="22" target="23" edge="1">
+          <mxGeometry relative="1" as="geometry"/>
+        </mxCell>
+        <mxCell id="29" style="edgeStyle=orthogonalEdgeStyle;strokeWidth=1;strokeColor=#999999;dashed=1;" parent="1" source="23" target="24" edge="1">
+          <mxGeometry relative="1" as="geometry"/>
+        </mxCell>
+        <mxCell id="30" value="Flow B: Standalone eSignet" style="text;html=1;fontSize=14;fontStyle=5;align=center;fillColor=#e1d5e7;strokeColor=#9673a6;rounded=1;" parent="1" vertex="1">
+          <mxGeometry x="580" y="280" width="450" height="30" as="geometry"/>
+        </mxCell>
+        <mxCell id="31" value="Step 1: helmsman_external.yml&#10;prereq-dsf + external-dsf (MINIMAL)&#10;(Istio, Postgres, Redis, Kafka, SoftHSM, KeyCloak, Captcha)" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#dae8fc;strokeColor=#6c8ebf;fontSize=11;" parent="1" vertex="1">
+          <mxGeometry x="600" y="330" width="420" height="60" as="geometry"/>
+        </mxCell>
+        <mxCell id="32" value="Step 2: helmsman_esignet.yml&#10;esignet-dsf (v1.7.1)&#10;(eSignet v1.7.1, OIDC UI v1.7.1)" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#dae8fc;strokeColor=#6c8ebf;fontSize=11;" parent="1" vertex="1">
+          <mxGeometry x="600" y="420" width="420" height="60" as="geometry"/>
+        </mxCell>
+        <mxCell id="33" value="STOPS HERE - No MOSIP / No TestRigs" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#f8cecc;strokeColor=#b85450;fontSize=11;fontStyle=1;" parent="1" vertex="1">
+          <mxGeometry x="700" y="510" width="230" height="40" as="geometry"/>
+        </mxCell>
+        <mxCell id="34" style="edgeStyle=orthogonalEdgeStyle;strokeWidth=2;strokeColor=#9673a6;" parent="1" source="12" target="31" edge="1">
+          <mxGeometry relative="1" as="geometry"/>
+        </mxCell>
+        <mxCell id="35" style="edgeStyle=orthogonalEdgeStyle;strokeWidth=2;strokeColor=#9673a6;" parent="1" source="31" target="32" edge="1">
+          <mxGeometry relative="1" as="geometry"/>
+        </mxCell>
+        <mxCell id="36" style="edgeStyle=orthogonalEdgeStyle;strokeWidth=2;strokeColor=#b85450;" parent="1" source="32" target="33" edge="1">
+          <mxGeometry relative="1" as="geometry"/>
+        </mxCell>
+        <mxCell id="40" value="Terraform Infrastructure" style="text;html=1;fontSize=14;fontStyle=5;align=center;fillColor=#fff2cc;strokeColor=#d6b656;rounded=1;" parent="1" vertex="1">
+          <mxGeometry x="50" y="700" width="970" height="30" as="geometry"/>
+        </mxCell>
+        <mxCell id="41" value="terraform.yml&#10;INFRA_PROFILE input" style="shape=hexagon;perimeter=hexagonPerimeter2;whiteSpace=wrap;html=1;fixedSize=1;size=20;fillColor=#dae8fc;strokeColor=#6c8ebf;fontSize=11;fontStyle=1;" parent="1" vertex="1">
+          <mxGeometry x="80" y="760" width="220" height="60" as="geometry"/>
+        </mxCell>
+        <mxCell id="42" value="profiles/mosip/aws.tfvars&#10;&#10;t3a.2xlarge nodes&#10;3 ctrl + 3 ETCD + 2 workers&#10;300GB + 200GB EBS&#10;5 public + 11 internal subdomains" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#d5e8d4;strokeColor=#82b366;fontSize=10;align=left;spacingLeft=8;" parent="1" vertex="1">
+          <mxGeometry x="380" y="745" width="250" height="100" as="geometry"/>
+        </mxCell>
+        <mxCell id="43" value="profiles/esignet/aws.tfvars&#10;&#10;t3a.xlarge nodes&#10;2 ctrl + 2 ETCD + 1 worker&#10;200GB EBS (single)&#10;2 public + 4 internal subdomains" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#e1d5e7;strokeColor=#9673a6;fontSize=10;align=left;spacingLeft=8;" parent="1" vertex="1">
+          <mxGeometry x="680" y="745" width="250" height="100" as="geometry"/>
+        </mxCell>
+        <mxCell id="44" style="edgeStyle=orthogonalEdgeStyle;strokeWidth=2;" parent="1" source="41" target="42" edge="1">
+          <mxGeometry relative="1" as="geometry"/>
+        </mxCell>
+        <mxCell id="45" style="edgeStyle=orthogonalEdgeStyle;strokeWidth=2;" parent="1" source="41" target="43" edge="1">
+          <mxGeometry relative="1" as="geometry"/>
+        </mxCell>
+        <mxCell id="46" value="State Isolation&#10;&#10;mosip: aws-infra-mosip-main-terraform.tfstate&#10;esignet: aws-infra-esignet-main-terraform.tfstate&#10;&#10;Independent lifecycle" style="shape=note;whiteSpace=wrap;html=1;backgroundOutline=1;size=15;fillColor=#fff2cc;strokeColor=#d6b656;fontSize=10;align=left;spacingLeft=8;" parent="1" vertex="1">
+          <mxGeometry x="80" y="870" width="380" height="100" as="geometry"/>
+        </mxCell>
+        <mxCell id="47" style="edgeStyle=orthogonalEdgeStyle;dashed=1;strokeColor=#d6b656;" parent="1" source="42" target="46" edge="1">
+          <mxGeometry relative="1" as="geometry"/>
+        </mxCell>
+        <mxCell id="48" style="edgeStyle=orthogonalEdgeStyle;dashed=1;strokeColor=#d6b656;" parent="1" source="43" target="46" edge="1">
+          <mxGeometry relative="1" as="geometry"/>
+        </mxCell>
+        <mxCell id="49" value="DSF File Structure" style="text;html=1;fontSize=12;fontStyle=5;align=center;fillColor=#f5f5f5;strokeColor=#CCCCCC;rounded=1;" parent="1" vertex="1">
+          <mxGeometry x="530" y="870" width="490" height="25" as="geometry"/>
+        </mxCell>
+        <mxCell id="50" value="Helmsman/dsf/&#10;  mosip-platform-java11/ (5 DSFs)&#10;  mosip-platform-java21/ (5 DSFs)&#10;  esignet/               (3 DSFs)" style="text;html=1;fontSize=11;align=left;fillColor=#f5f5f5;strokeColor=#CCCCCC;rounded=1;spacingLeft=10;fontFamily=Courier New;" parent="1" vertex="1">
+          <mxGeometry x="530" y="900" width="490" height="70" as="geometry"/>
+        </mxCell>
+        <mxCell id="60" value="MOSIP Platform" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#d5e8d4;strokeColor=#82b366;fontSize=9;" parent="1" vertex="1">
+          <mxGeometry x="1100" y="70" width="100" height="20" as="geometry"/>
+        </mxCell>
+        <mxCell id="61" value="eSignet Standalone" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#e1d5e7;strokeColor=#9673a6;fontSize=9;" parent="1" vertex="1">
+          <mxGeometry x="1210" y="70" width="100" height="20" as="geometry"/>
+        </mxCell>
+        <mxCell id="62" value="Workflow Step" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#dae8fc;strokeColor=#6c8ebf;fontSize=9;" parent="1" vertex="1">
+          <mxGeometry x="1100" y="100" width="100" height="20" as="geometry"/>
+        </mxCell>
+        <mxCell id="63" value="Terraform" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#fff2cc;strokeColor=#d6b656;fontSize=9;" parent="1" vertex="1">
+          <mxGeometry x="1210" y="100" width="100" height="20" as="geometry"/>
+        </mxCell>
+        <mxCell id="64" value="Future" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#f8cecc;strokeColor=#b85450;fontSize=9;dashed=1;" parent="1" vertex="1">
+          <mxGeometry x="1100" y="130" width="100" height="20" as="geometry"/>
+        </mxCell>
+        <mxCell id="65" value="Legend" style="text;html=1;fontSize=11;fontStyle=1;align=center;" parent="1" vertex="1">
+          <mxGeometry x="1100" y="45" width="210" height="20" as="geometry"/>
+        </mxCell>
+      </root>
+    </mxGraphModel>
+  </diagram>
+</mxfile>
diff --git a/terraform/implementations/aws/infra/main.tf b/terraform/implementations/aws/infra/main.tf
index 2a18191e..d7148319 100644
--- a/terraform/implementations/aws/infra/main.tf
+++ b/terraform/implementations/aws/infra/main.tf
@@ -50,6 +50,12 @@ module "mosip_infra" {
   mosip_infra_repo_url = var.mosip_infra_repo_url
   mosip_infra_branch   = var.mosip_infra_branch
 
+  # ActiveMQ Configuration
+  enable_activemq_setup        = var.enable_activemq_setup
+  nginx_node_ebs_volume_size_3 = var.nginx_node_ebs_volume_size_3
+  activemq_storage_device      = var.activemq_storage_device
+  activemq_mount_point         = var.activemq_mount_point
+
   # AWS-specific configuration
   aws_provider_region           = var.aws_provider_region
   specific_availability_zones   = var.specific_availability_zones
diff --git a/terraform/implementations/aws/infra/profiles/esignet/aws.tfvars b/terraform/implementations/aws/infra/profiles/esignet/aws.tfvars
new file mode 100644
index 00000000..97879ee6
--- /dev/null
+++ b/terraform/implementations/aws/infra/profiles/esignet/aws.tfvars
@@ -0,0 +1,107 @@
+# ============================================================
+# eSignet Standalone Infrastructure Profile
+# ============================================================
+# Lightweight deployment for standalone eSignet
+# Includes: eSignet, OIDC UI, Postgres, Redis, Kafka, Keycloak
+# Does NOT include full MOSIP platform services
+# ============================================================
+
+# Environment name (infra component)
+cluster_name = "<cluster-name>"
+
+# eSignet's domain (ex: esignet.xyz.net)
+cluster_env_domain = "<cluster-env-domain>"
+
+# Email-ID will be used by certbot to notify SSL certificate expiry via email
+mosip_email_id = "<email-id>"
+
+# SSH login key name for AWS node instances (ex: my-ssh-key)
+ssh_key_name = "<ssh-key-name>"
+
+# The AWS region for resource creation
+aws_provider_region = "ap-south-1"
+
+# Specific availability zones for VM deployment (optional)
+specific_availability_zones = []
+
+# The instance type for Kubernetes nodes (control plane, worker, etcd)
+# Smaller instance type since eSignet standalone needs fewer resources
+k8s_instance_type = "t3a.xlarge"
+
+# The instance type for Nginx server (load balancer)
+nginx_instance_type = "t3a.xlarge"
+
+# The Route 53 hosted zone ID
+zone_id = "<route53_zone_id>"
+
+## UBUNTU 24.04
+# The Amazon Machine Image ID for the instances
+ami = "ami-0ad21ae1d0696ad58"
+
+# Repo K8S-INFRA URL
+k8s_infra_repo_url = "https://github.com/mosip/k8s-infra.git"
+
+# Repo K8S-INFRA branch
+k8s_infra_branch = "release-1.2.1.x"
+
+# NGINX Node's Root volume size
+nginx_node_root_volume_size = 24
+
+# NGINX node's EBS volume size
+nginx_node_ebs_volume_size = 200
+
+# NGINX node's second EBS volume size (set to 0 - not needed for standalone eSignet)
+nginx_node_ebs_volume_size_2 = 0
+
+# Kubernetes nodes Root volume size
+k8s_instance_root_volume_size = 64
+
+# Control-plane, ETCD, Worker — smaller cluster for standalone eSignet
+k8s_control_plane_node_count = 1
+
+# ETCD, Worker
+k8s_etcd_node_count = 1
+
+# Worker
+k8s_worker_node_count = 2
+
+# RKE2 Version Configuration
+rke2_version = "v1.28.9+rke2r1"
+
+# Security group CIDRs
+network_cidr   = "172.0.0.0/8" # Use your actual VPC CIDR
+WIREGUARD_CIDR = "172.0.0.0/8" # Use your actual WireGuard VPN CIDR
+
+# Rancher Import Configuration
+enable_rancher_import = true
+rancher_import_url    = "\"<rancher-import-url>\""
+
+# DNS Records to map — only eSignet-relevant subdomains
+subdomain_public   = ["esignet", "signup", "minio"]
+subdomain_internal = ["iam", "kafka", "postgres", "keycloak"]
+
+# PostgreSQL Configuration
+enable_postgresql_setup = true
+postgresql_version      = "15"
+storage_device          = "/dev/nvme2n1"
+mount_point             = "/srv/postgres"
+postgresql_port         = "5433"
+
+# MOSIP Infrastructure Repository Configuration
+mosip_infra_repo_url = "https://github.com/mosip/infra.git"
+
+mosip_infra_branch = "release-0.2.0"
+
+# VPC Configuration - Existing VPC to use (discovered by Name tag)
+vpc_name = "<vpc-name>"
+
+# ── ActiveMQ Configuration ─────────────────────────────────────────────────────
+# Set enable_activemq_setup = true AND nginx_node_ebs_volume_size_3 > 0 to
+# create a dedicated EBS volume, format it as XFS, and mount it on the NGINX node.
+# ActiveMQ itself runs inside Kubernetes via Helm (no software installed here).
+# Both conditions must be true — set either to false/0 to skip entirely.
+enable_activemq_setup        = false # Toggle: true = create & mount, false = skip
+nginx_node_ebs_volume_size_3 = 0     # Volume size in GB (e.g. 100); 0 = disabled
+
+activemq_storage_device = "/dev/nvme3n1"
+activemq_mount_point    = "/srv/activemq"
diff --git a/terraform/implementations/aws/infra/aws.tfvars b/terraform/implementations/aws/infra/profiles/mosip/aws.tfvars
similarity index 71%
rename from terraform/implementations/aws/infra/aws.tfvars
rename to terraform/implementations/aws/infra/profiles/mosip/aws.tfvars
index 25012b59..a6b179ed 100644
--- a/terraform/implementations/aws/infra/aws.tfvars
+++ b/terraform/implementations/aws/infra/profiles/mosip/aws.tfvars
@@ -1,3 +1,10 @@
+# ============================================================
+# MOSIP Platform Infrastructure Profile
+# ============================================================
+# Full MOSIP platform deployment with all services
+# Includes: IDA, IDRepo, PMS, PreReg, Kernel, Resident, eSignet
+# ============================================================
+
 # Environment name (infra component)
 cluster_name = "<cluster-name>"
 
@@ -57,7 +64,7 @@ k8s_control_plane_node_count = 3
 k8s_etcd_node_count = 3
 
 # Worker
-k8s_worker_node_count = 2 
+k8s_worker_node_count = 2
 
 # RKE2 Version Configuration
 rke2_version = "v1.28.9+rke2r1"
@@ -90,3 +97,14 @@ mosip_infra_branch = "release-0.2.0"
 
 # VPC Configuration - Existing VPC to use (discovered by Name tag)
 vpc_name = "<vpc-name>"
+
+# ── ActiveMQ Configuration ─────────────────────────────────────────────────────
+# Set enable_activemq_setup = true AND nginx_node_ebs_volume_size_3 > 0 to
+# create a dedicated EBS volume, format it as XFS, and mount it on the NGINX node.
+# ActiveMQ itself runs inside Kubernetes via Helm (no software installed here).
+# Both conditions must be true — set either to false/0 to skip entirely.
+enable_activemq_setup        = true # Toggle: true = create & mount, false = skip
+nginx_node_ebs_volume_size_3 = 30   # Volume size in GB (e.g. 100); 0 = disabled
+
+activemq_storage_device = "/dev/nvme3n1"
+activemq_mount_point    = "/srv/activemq"
diff --git a/terraform/implementations/aws/infra/variables.tf b/terraform/implementations/aws/infra/variables.tf
index caca8c1d..f8fb80ef 100644
--- a/terraform/implementations/aws/infra/variables.tf
+++ b/terraform/implementations/aws/infra/variables.tf
@@ -226,3 +226,36 @@ variable "mosip_infra_branch" {
   type        = string
   default     = "develop"
 }
+
+# ActiveMQ Configuration Variables
+variable "enable_activemq_setup" {
+  description = "Enable ActiveMQ EBS volume setup on the NGINX node"
+  type        = bool
+  default     = false
+}
+
+variable "nginx_node_ebs_volume_size_3" {
+  description = "EBS volume size (GB) for ActiveMQ data on the NGINX node — set to 0 to disable"
+  type        = number
+  default     = 0
+}
+
+variable "activemq_storage_device" {
+  description = "Block device path of the 3rd EBS volume for ActiveMQ"
+  type        = string
+  default     = "/dev/nvme3n1"
+  validation {
+    condition     = length(var.activemq_storage_device) > 0 && startswith(var.activemq_storage_device, "/dev/")
+    error_message = "activemq_storage_device must be non-empty and start with '/dev/'."
+  }
+}
+
+variable "activemq_mount_point" {
+  description = "Mount point for ActiveMQ persistent storage"
+  type        = string
+  default     = "/srv/activemq"
+  validation {
+    condition     = length(var.activemq_mount_point) > 0 && startswith(var.activemq_mount_point, "/")
+    error_message = "activemq_mount_point must be non-empty and an absolute path starting with '/'."
+  }
+}
diff --git a/terraform/infra/aws/main.tf b/terraform/infra/aws/main.tf
index fe69e456..f489f334 100644
--- a/terraform/infra/aws/main.tf
+++ b/terraform/infra/aws/main.tf
@@ -39,7 +39,7 @@ module "aws_infrastructure" {
   nginx_node_ebs_volume_size_2  = var.nginx_node_ebs_volume_size_2
   K8S_INSTANCE_ROOT_VOLUME_SIZE = var.k8s_instance_root_volume_size
   network_cidr                  = var.network_cidr
-  DEPLOYMENT_TYPE               = "infra"  # Regular MOSIP infrastructure deployment
+  DEPLOYMENT_TYPE               = "infra" # Regular MOSIP infrastructure deployment
   WIREGUARD_CIDR                = var.WIREGUARD_CIDR
 
   # PostgreSQL Configuration
@@ -52,4 +52,10 @@ module "aws_infrastructure" {
   # MOSIP Infrastructure Repository Configuration
   mosip_infra_repo_url = var.mosip_infra_repo_url
   mosip_infra_branch   = var.mosip_infra_branch
+
+  # ActiveMQ Configuration
+  enable_activemq_setup        = var.enable_activemq_setup
+  nginx_node_ebs_volume_size_3 = var.nginx_node_ebs_volume_size_3
+  activemq_storage_device      = var.activemq_storage_device
+  activemq_mount_point         = var.activemq_mount_point
 }
diff --git a/terraform/infra/aws/variables.tf b/terraform/infra/aws/variables.tf
index 03d6269c..9ecd5a9e 100644
--- a/terraform/infra/aws/variables.tf
+++ b/terraform/infra/aws/variables.tf
@@ -189,3 +189,28 @@ variable "mosip_infra_branch" {
   type        = string
   default     = "develop"
 }
+
+# ActiveMQ Configuration Variables
+variable "enable_activemq_setup" {
+  description = "Enable ActiveMQ EBS volume setup on the NGINX node"
+  type        = bool
+  default     = false
+}
+
+variable "nginx_node_ebs_volume_size_3" {
+  description = "EBS volume size (GB) for ActiveMQ data on the NGINX node — set to 0 to disable"
+  type        = number
+  default     = 0
+}
+
+variable "activemq_storage_device" {
+  description = "Block device path of the 3rd EBS volume for ActiveMQ"
+  type        = string
+  default     = "/dev/nvme3n1"
+}
+
+variable "activemq_mount_point" {
+  description = "Mount point for ActiveMQ persistent storage"
+  type        = string
+  default     = "/srv/activemq"
+}
diff --git a/terraform/infra/main.tf b/terraform/infra/main.tf
index 02f2b5a1..a01be42b 100644
--- a/terraform/infra/main.tf
+++ b/terraform/infra/main.tf
@@ -61,6 +61,12 @@ module "aws_infra" {
   # MOSIP Infrastructure Repository Configuration
   mosip_infra_repo_url = var.mosip_infra_repo_url
   mosip_infra_branch   = var.mosip_infra_branch
+
+  # ActiveMQ Configuration
+  enable_activemq_setup        = var.enable_activemq_setup
+  nginx_node_ebs_volume_size_3 = var.nginx_node_ebs_volume_size_3
+  activemq_storage_device      = var.activemq_storage_device
+  activemq_mount_point         = var.activemq_mount_point
 }
 
 # Azure Infrastructure
diff --git a/terraform/infra/variables.tf b/terraform/infra/variables.tf
index 7cc28f07..70176c35 100644
--- a/terraform/infra/variables.tf
+++ b/terraform/infra/variables.tf
@@ -291,3 +291,28 @@ variable "mosip_infra_branch" {
   type        = string
   default     = "develop"
 }
+
+# ActiveMQ Configuration Variables
+variable "enable_activemq_setup" {
+  description = "Enable ActiveMQ EBS volume setup on the NGINX node"
+  type        = bool
+  default     = false
+}
+
+variable "nginx_node_ebs_volume_size_3" {
+  description = "EBS volume size (GB) for ActiveMQ data on the NGINX node — set to 0 to disable"
+  type        = number
+  default     = 0
+}
+
+variable "activemq_storage_device" {
+  description = "Block device path of the 3rd EBS volume for ActiveMQ"
+  type        = string
+  default     = "/dev/nvme3n1"
+}
+
+variable "activemq_mount_point" {
+  description = "Mount point for ActiveMQ persistent storage"
+  type        = string
+  default     = "/srv/activemq"
+}
\ No newline at end of file
diff --git a/terraform/modules/aws/activemq-setup/activemq-setup.sh b/terraform/modules/aws/activemq-setup/activemq-setup.sh
new file mode 100644
index 00000000..4f321c47
--- /dev/null
+++ b/terraform/modules/aws/activemq-setup/activemq-setup.sh
@@ -0,0 +1,131 @@
+#!/bin/bash
+
+# ActiveMQ EBS Volume Setup - Runs on the Terraform RUNNER machine.
+# Ansible SSHes into the NGINX node to format/mount EBS and configure NFS.
+# ActiveMQ itself runs inside Kubernetes — this only prepares the storage.
+
+set -euo pipefail
+
+echo "=== ActiveMQ EBS Volume Setup Started at $(date) ==="
+
+# ── Validate required environment variables ────────────────────────────────────
+echo "=== Validating Environment Variables ==="
+REQUIRED_VARS=(
+    "NGINX_PRIVATE_IP"
+    "ACTIVEMQ_STORAGE_DEVICE"
+    "ACTIVEMQ_MOUNT_POINT"
+    "SSH_KEY_FILE"
+    "WORK_DIR"
+)
+MISSING_VARS=()
+for var in "${REQUIRED_VARS[@]}"; do
+    [ -z "${!var:-}" ] && MISSING_VARS+=("$var")
+done
+if [ ${#MISSING_VARS[@]} -ne 0 ]; then
+    echo "ERROR: Missing required environment variables:"
+    printf '  - %s\n' "${MISSING_VARS[@]}"
+    exit 1
+fi
+echo "  NGINX_PRIVATE_IP=$NGINX_PRIVATE_IP"
+echo "  ACTIVEMQ_STORAGE_DEVICE=$ACTIVEMQ_STORAGE_DEVICE"
+echo "  ACTIVEMQ_MOUNT_POINT=$ACTIVEMQ_MOUNT_POINT"
+echo "  SSH_KEY_FILE=$SSH_KEY_FILE"
+echo "  WORK_DIR=$WORK_DIR"
+
+# ── Verify Ansible is available on the runner ──────────────────────────────────
+echo "=== Checking Ansible on runner machine ==="
+if ! command -v ansible-playbook &>/dev/null; then
+    echo "ERROR: ansible-playbook not found on the Terraform runner."
+    echo "Please install Ansible on the machine running Terraform:"
+    echo "  Ubuntu/Debian : sudo apt-get install -y ansible"
+    echo "  RHEL/CentOS   : sudo yum install -y ansible"
+    echo "  pip           : pip3 install ansible"
+    exit 1
+fi
+echo "Ansible found: $(ansible --version | head -1)"
+
+# ── Wait for NGINX SSH to be ready ────────────────────────────────────────────
+echo "=== Waiting for NGINX SSH to be ready ($NGINX_PRIVATE_IP) ==="
+for i in $(seq 1 20); do
+    if ssh -i "$SSH_KEY_FILE" \
+           -o StrictHostKeyChecking=no \
+           -o ConnectTimeout=5 \
+           -o BatchMode=yes \
+           ubuntu@"$NGINX_PRIVATE_IP" "echo ok" &>/dev/null; then
+        echo "SSH ready after $i attempt(s)"
+        break
+    fi
+    echo "  Attempt $i/20: SSH not ready yet, retrying in 10s..."
+    sleep 10
+    if [ "$i" -eq 20 ]; then
+        echo "ERROR: NGINX SSH did not become ready after 200 seconds"
+        exit 1
+    fi
+done
+
+# ── Create Ansible inventory and config ───────────────────────────────────────
+echo "=== Creating Ansible inventory ==="
+cat > "$WORK_DIR/inventory.ini" <<EOF
+[activemq_servers]
+$NGINX_PRIVATE_IP ansible_user=ubuntu ansible_become=yes ansible_ssh_private_key_file=$SSH_KEY_FILE
+EOF
+
+cat > "$WORK_DIR/ansible.cfg" <<EOF
+[defaults]
+host_key_checking = False
+gathering = explicit
+galaxy_disable_gpg_verify = true
+[ssh_connection]
+pipelining = True
+ssh_args = -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
+EOF
+
+echo "Inventory:"
+cat "$WORK_DIR/inventory.ini"
+
+# ── Test Ansible connectivity ──────────────────────────────────────────────────
+echo "=== Testing Ansible SSH connectivity to NGINX ==="
+ANSIBLE_CONFIG="$WORK_DIR/ansible.cfg" \
+ansible -i "$WORK_DIR/inventory.ini" activemq_servers -m ping || {
+    echo "ERROR: Ansible ping to NGINX failed. Check SSH access."
+    exit 1
+}
+
+# ── Run the Ansible playbook ───────────────────────────────────────────────────
+echo "=== Running Ansible Playbook (runner → NGINX via SSH) ==="
+echo "  Device : $ACTIVEMQ_STORAGE_DEVICE"
+echo "  Mount  : $ACTIVEMQ_MOUNT_POINT"
+echo ""
+
+ANSIBLE_LOG="/tmp/activemq-ebs.log"
+
+set +o pipefail   # Temporarily off so PIPESTATUS works correctly
+ANSIBLE_CONFIG="$WORK_DIR/ansible.cfg" \
+timeout 300 ansible-playbook -v \
+    -i "$WORK_DIR/inventory.ini" \
+    -e "activemq_storage_device=$ACTIVEMQ_STORAGE_DEVICE" \
+    -e "activemq_mount_point=$ACTIVEMQ_MOUNT_POINT" \
+    "$WORK_DIR/activemq-setup.yml" 2>&1 | tee "$ANSIBLE_LOG"
+ANSIBLE_EXIT=${PIPESTATUS[0]}
+set -o pipefail
+
+if [ "$ANSIBLE_EXIT" -ne 0 ]; then
+    echo ""
+    echo "ERROR: Ansible playbook failed (exit code $ANSIBLE_EXIT)"
+    echo "--- Last 30 lines of log ---"
+    tail -30 "$ANSIBLE_LOG" || true
+    exit 1
+fi
+
+if [ ! -s /tmp/activemq-storageclass.yaml ]; then
+    echo ""
+    echo "ERROR: StorageClass manifest not found or empty at /tmp/activemq-storageclass.yaml"
+    echo "--- Last 30 lines of Ansible log ---"
+    tail -30 "$ANSIBLE_LOG" || true
+    exit 1
+fi
+
+echo ""
+echo "=== Done at $(date) ==="
+echo "EBS volume for ActiveMQ is mounted at $ACTIVEMQ_MOUNT_POINT on $NGINX_PRIVATE_IP"
+echo "StorageClass YAML written to /tmp/activemq-storageclass.yaml on this runner"
\ No newline at end of file
diff --git a/terraform/modules/aws/activemq-setup/activemq-setup.yml b/terraform/modules/aws/activemq-setup/activemq-setup.yml
new file mode 100644
index 00000000..ae9fde2e
--- /dev/null
+++ b/terraform/modules/aws/activemq-setup/activemq-setup.yml
@@ -0,0 +1,174 @@
+---
+# ActiveMQ EBS Volume + NFS Export + StorageClass Setup
+# Runs from the Terraform RUNNER machine, SSHes into the NGINX node.
+# Steps:
+#   1. Wait for EBS device → format as XFS → mount it
+#   2. Set correct NFS permissions on mount point
+#   3. Configure NFS export so Kubernetes pods can reach the storage
+#   4. Generate a Kubernetes StorageClass YAML on the runner (delegate_to: localhost)
+
+- name: ActiveMQ EBS Volume + NFS Setup
+  hosts: activemq_servers
+  become: yes
+  gather_facts: yes
+
+  tasks:
+
+    # ── System prerequisites ───────────────────────────────────────────────────
+    - name: Update apt cache
+      apt:
+        update_cache: yes
+        cache_valid_time: 3600
+
+    - name: Install required tools
+      apt:
+        name:
+          - xfsprogs            # mkfs.xfs
+          - util-linux          # lsblk, blkid
+          - nfs-kernel-server   # NFS server
+        state: present
+
+    # ── Wait for EBS block device ──────────────────────────────────────────────
+    # activemq_storage_device may be a raw path (/dev/nvme3n1) or a stable
+    # by-id path (/dev/disk/by-id/nvme-...). Both work with wait_for.
+    - name: Wait for ActiveMQ storage device to appear
+      wait_for:
+        path: "{{ activemq_storage_device }}"
+        timeout: 240
+        msg: "Timed out waiting for device {{ activemq_storage_device }}"
+
+    - name: Show available block devices
+      command: lsblk -f
+      register: block_devices
+      changed_when: false
+
+    - name: Display block devices
+      debug:
+        var: block_devices.stdout_lines
+
+    # ── Format the EBS volume ──────────────────────────────────────────────────
+    - name: Check if device already has a filesystem
+      command: blkid -o value -s TYPE "{{ activemq_storage_device }}"
+      register: existing_fs
+      changed_when: false
+      failed_when: false
+
+    - name: Create XFS filesystem on device (skipped if already formatted)
+      filesystem:
+        fstype: xfs
+        dev: "{{ activemq_storage_device }}"
+      when: existing_fs.stdout == ""
+
+    # ── Resolve stable UUID for fstab ─────────────────────────────────────────
+    # Raw NVMe device names (/dev/nvme3n1) change on instance reboot/replacement.
+    # Using UUID= in fstab is stable — it survives device renaming.
+    - name: Resolve filesystem UUID of the device
+      command: blkid -o value -s UUID "{{ activemq_storage_device }}"
+      register: device_uuid
+      changed_when: false
+      retries: 3
+      delay: 5
+      until: device_uuid.stdout != ""
+
+    # ── Create mount point and mount ───────────────────────────────────────────
+    - name: Create mount point directory
+      file:
+        path: "{{ activemq_mount_point }}"
+        state: directory
+        mode: '0777'
+
+    # fstab and mount use UUID= — stable across reboots and NVMe renaming.
+    - name: Mount device by UUID and add to fstab (idempotent)
+      mount:
+        path: "{{ activemq_mount_point }}"
+        src: "UUID={{ device_uuid.stdout | trim }}"
+        fstype: xfs
+        opts: defaults,nofail
+        dump: '0'
+        passno: '2'
+        state: mounted
+
+    # ── NFS: Set ownership and permissions ────────────────────────────────────
+    - name: Set NFS-compatible permissions on mount point
+      file:
+        path: "{{ activemq_mount_point }}"
+        mode: '0777'
+        state: directory
+
+    # ── NFS: Configure /etc/exports ───────────────────────────────────────────
+    - name: Add ActiveMQ NFS export entry
+      lineinfile:
+        path: /etc/exports
+        line: "{{ activemq_mount_point }} {{ activemq_nfs_allowed_hosts | default('*') }}(rw,sync,no_all_squash,subtree_check)"
+        state: present
+        create: yes
+        backup: yes
+
+    - name: Apply NFS export changes (exportfs -rav)
+      command: exportfs -rav
+      register: exportfs_result
+
+    - name: Display exportfs result
+      debug:
+        var: exportfs_result.stdout_lines
+
+    # ── NFS: Start and enable NFS server ──────────────────────────────────────
+    - name: Start and enable NFS kernel server
+      systemd:
+        name: nfs-kernel-server
+        state: restarted
+        enabled: yes
+        daemon_reload: yes
+
+    - name: Verify NFS export is active
+      command: exportfs -v
+      register: exports_verify
+      changed_when: false
+
+    - name: Display active NFS exports
+      debug:
+        var: exports_verify.stdout_lines
+
+    # ── NFS: Show mount info ───────────────────────────────────────────────────
+    - name: Show mount and disk usage
+      command: df -h "{{ activemq_mount_point }}"
+      register: mount_info
+      changed_when: false
+
+    # ── Generate Kubernetes StorageClass YAML on the runner ───────────────────
+    # delegate_to: localhost writes the file on the Terraform runner, NOT on NGINX.
+    # Terraform's second null_resource then copies it to the K8s control plane.
+    - name: Generate Kubernetes StorageClass YAML for ActiveMQ NFS share
+      copy:
+        content: |
+          apiVersion: storage.k8s.io/v1
+          kind: StorageClass
+          metadata:
+            name: nfs-csi-activemq
+          provisioner: nfs.csi.k8s.io
+          parameters:
+            server: {{ hostvars[inventory_hostname].ansible_host | default(inventory_hostname) }}
+            share: {{ activemq_mount_point }}/
+            mountPermissions: '0777'
+            subDir: ${pvc.metadata.namespace}-${pvc.metadata.name}-${pv.metadata.name}
+          reclaimPolicy: Delete
+          volumeBindingMode: Immediate
+        dest: /tmp/activemq-storageclass.yaml
+        mode: '0644'
+      delegate_to: localhost
+      become: false
+
+    # ── Final status report ────────────────────────────────────────────────────
+    - name: Display final status
+      debug:
+        msg:
+          - "EBS volume setup complete"
+          - "Device          : {{ activemq_storage_device }}"
+          - "Mount           : {{ activemq_mount_point }}"
+          - "Disk usage      : {{ mount_info.stdout_lines }}"
+          - "NFS export      : {{ activemq_mount_point }} *(rw,sync,no_root_squash,...)"
+          - "NFS server IP   : {{ hostvars[inventory_hostname].ansible_host | default(inventory_hostname) }}"
+          - "StorageClass    : nfs-csi-activemq → /tmp/activemq-storageclass.yaml (on runner)"
+          - ""
+          - "Next: Terraform will apply the StorageClass to Kubernetes."
+          - "In Helmsman DSF, set: --set persistence.storageClass=nfs-csi-activemq"
\ No newline at end of file
diff --git a/terraform/modules/aws/activemq-setup/main.tf b/terraform/modules/aws/activemq-setup/main.tf
new file mode 100644
index 00000000..25763157
--- /dev/null
+++ b/terraform/modules/aws/activemq-setup/main.tf
@@ -0,0 +1,134 @@
+# ActiveMQ EBS Volume Setup Module
+# Runs Ansible on the Terraform RUNNER machine, which SSHes into the NGINX node.
+# 1. Formats + mounts the 3rd EBS volume on the NGINX node
+# 2. Configures NFS export for Kubernetes pod access
+# 3. Generates and applies a Kubernetes StorageClass for the NFS share
+
+variable "NGINX_PUBLIC_IP" { type = string }
+variable "NGINX_PRIVATE_IP" { type = string }
+variable "SSH_PRIVATE_KEY" {
+  type        = string
+  sensitive   = true
+  description = "SSH private key content for connecting to nodes"
+}
+variable "NGINX_NODE_EBS_VOLUME_SIZE_3" { type = number }
+
+variable "ACTIVEMQ_STORAGE_DEVICE" {
+  type        = string
+  default     = "/dev/nvme3n1"
+  description = "Block device path of the 3rd EBS volume"
+}
+variable "ACTIVEMQ_MOUNT_POINT" {
+  type        = string
+  default     = "/srv/activemq"
+  description = "Mount point for ActiveMQ persistent storage (also the NFS share path)"
+}
+
+# Kubernetes Control Plane — for applying the StorageClass
+variable "CONTROL_PLANE_HOST" {
+  type        = string
+  description = "IP address of the Kubernetes control plane node"
+}
+variable "CONTROL_PLANE_USER" {
+  type        = string
+  default     = "ubuntu"
+  description = "SSH username for control plane access"
+}
+
+# ── Resource 1: EBS Volume + NFS Setup (runs Ansible on the Terraform runner) ──
+resource "null_resource" "activemq-ebs-nfs-setup" {
+  count = var.NGINX_NODE_EBS_VOLUME_SIZE_3 > 0 ? 1 : 0
+
+  triggers = {
+    # Re-run when target node is replaced (new IP = new instance)
+    nginx_private_ip = var.NGINX_PRIVATE_IP
+
+    # Re-run when storage configuration changes
+    device_mount_hash = md5("${var.ACTIVEMQ_STORAGE_DEVICE}${var.ACTIVEMQ_MOUNT_POINT}")
+  }
+
+  # Write the SSH private key to a temp file on the runner, then run Ansible locally.
+  # Ansible SSHes into the NGINX node using that key.
+  provisioner "local-exec" {
+    # SECURITY: The SSH private key is passed via environment variable, NOT
+    # interpolated in the command string. This prevents it from appearing in:
+    #   - Terraform plan/apply output
+    #   - Shell history (ps aux, /proc)
+    #   - CI/CD logs that capture stdout
+    # The script reads TF_ACTIVEMQ_SSH_KEY and writes it to a chmod-600 temp file.
+    command     = <<-EOT
+      set -euo pipefail
+
+      # ── Write SSH key from env var (never from command args) ──────────────────
+      KEY_FILE=$(mktemp /tmp/activemq-ssh-key-XXXXXX)
+      chmod 600 "$KEY_FILE"
+      # Use printf to avoid trailing newline issues with echo
+      printf '%s' "$TF_ACTIVEMQ_SSH_KEY" > "$KEY_FILE"
+
+      # ── Copy playbook to a temp working dir ───────────────────────────────────
+      WORK_DIR=$(mktemp -d /tmp/activemq-setup-XXXXXX)
+
+      # ── Guarantee cleanup of KEY_FILE and WORK_DIR on success or failure ──────
+      trap 'rm -rf "$KEY_FILE" "$WORK_DIR"' EXIT ERR
+
+      cp "${path.module}/activemq-setup.yml" "$WORK_DIR/activemq-setup.yml"
+      cp "${path.module}/activemq-setup.sh"  "$WORK_DIR/activemq-setup.sh"
+      chmod +x "$WORK_DIR/activemq-setup.sh"
+
+      # ── Run the setup script (Ansible runs on this runner, SSHes into NGINX) ──
+      export NGINX_PRIVATE_IP="${var.NGINX_PRIVATE_IP}"
+      export ACTIVEMQ_STORAGE_DEVICE="${var.ACTIVEMQ_STORAGE_DEVICE}"
+      export ACTIVEMQ_MOUNT_POINT="${var.ACTIVEMQ_MOUNT_POINT}"
+      export SSH_KEY_FILE="$KEY_FILE"
+      export WORK_DIR="$WORK_DIR"
+
+      bash "$WORK_DIR/activemq-setup.sh"
+    EOT
+    interpreter = ["bash", "-c"]
+
+    environment = {
+      # Key passed as env var — never appears in command string or Terraform logs
+      TF_ACTIVEMQ_SSH_KEY = var.SSH_PRIVATE_KEY
+    }
+  }
+}
+
+# ── Resource 2: Apply StorageClass to Kubernetes ──────────────────────────────
+# The Ansible playbook generates /tmp/activemq-storageclass.yaml on the runner.
+# This resource copies it to the K8s control plane and applies it.
+resource "null_resource" "activemq-k8s-storageclass" {
+  count      = var.NGINX_NODE_EBS_VOLUME_SIZE_3 > 0 ? 1 : 0
+  depends_on = [null_resource.activemq-ebs-nfs-setup]
+
+  connection {
+    type        = "ssh"
+    host        = var.CONTROL_PLANE_HOST
+    user        = var.CONTROL_PLANE_USER
+    private_key = var.SSH_PRIVATE_KEY
+    timeout     = "10m"
+    agent       = false
+  }
+
+  # Copy the StorageClass YAML (generated by Ansible on the runner) to control plane
+  provisioner "file" {
+    source      = "/tmp/activemq-storageclass.yaml"
+    destination = "/tmp/activemq-storageclass.yaml"
+  }
+
+  # Apply it to the cluster
+  provisioner "remote-exec" {
+    inline = [
+      # Build kubeconfig path from the actual login user using find to locate the .yaml file
+      "export KUBECONFIG=$(find /home/${var.CONTROL_PLANE_USER}/.kube/ -name '*.yaml' | head -1)",
+      # Fail immediately with a clear message if no valid file was found.
+      "if [ -z \"$KUBECONFIG\" ] || [ ! -f \"$KUBECONFIG\" ]; then echo \"ERROR: kubeconfig not found in /home/${var.CONTROL_PLANE_USER}/.kube/\"; exit 1; fi",
+      "echo \"Using kubeconfig: $KUBECONFIG\"",
+      "kubectl cluster-info",
+      "echo 'Applying ActiveMQ NFS StorageClass...'",
+      "kubectl apply -f /tmp/activemq-storageclass.yaml",
+      "echo 'Verifying StorageClass was created...'",
+      "kubectl get storageclass nfs-csi-activemq",
+      "rm -f /tmp/activemq-storageclass.yaml"
+    ]
+  }
+}
diff --git a/terraform/modules/aws/aws-main.tf b/terraform/modules/aws/aws-main.tf
index b305076a..f6162e7f 100644
--- a/terraform/modules/aws/aws-main.tf
+++ b/terraform/modules/aws/aws-main.tf
@@ -129,6 +129,8 @@ module "aws-resource-creation" {
 
   NGINX_NODE_EBS_VOLUME_SIZE   = var.NGINX_NODE_EBS_VOLUME_SIZE
   NGINX_NODE_EBS_VOLUME_SIZE_2 = var.nginx_node_ebs_volume_size_2
+  NGINX_NODE_EBS_VOLUME_SIZE_3 = var.nginx_node_ebs_volume_size_3
+  enable_activemq_setup        = var.enable_activemq_setup
   NGINX_NODE_ROOT_VOLUME_SIZE  = var.NGINX_NODE_ROOT_VOLUME_SIZE
 
   # VPC and Subnet Configuration
@@ -483,7 +485,7 @@ module "nginx-setup" {
   SSH_PRIVATE_KEY                         = var.SSH_PRIVATE_KEY
   K8S_INFRA_BRANCH                        = var.K8S_INFRA_BRANCH
   K8S_INFRA_REPO_URL                      = var.K8S_INFRA_REPO_URL
-  NGINX_TYPE                              = var.NGINX_TYPE  # Pass through the NGINX_TYPE
+  NGINX_TYPE                              = var.NGINX_TYPE # Pass through the NGINX_TYPE
 }
 
 
@@ -535,3 +537,20 @@ module "postgresql-setup" {
   CONTROL_PLANE_HOST = [for instance in module.aws-resource-creation.K8S_CLUSTER_PRIVATE_IPS : instance][0]
   CONTROL_PLANE_USER = "ubuntu"
 }
+
+module "activemq-setup" {
+  count      = var.enable_activemq_setup && var.nginx_node_ebs_volume_size_3 > 0 ? 1 : 0
+  depends_on = [module.aws-resource-creation, module.nginx-setup, module.rke2-setup, module.nfs-setup, module.postgresql-setup]
+  source     = "./activemq-setup"
+
+  NGINX_PUBLIC_IP              = module.aws-resource-creation.NGINX_PUBLIC_IP
+  NGINX_PRIVATE_IP             = module.aws-resource-creation.NGINX_PRIVATE_IP
+  SSH_PRIVATE_KEY              = var.SSH_PRIVATE_KEY
+  NGINX_NODE_EBS_VOLUME_SIZE_3 = var.nginx_node_ebs_volume_size_3
+  ACTIVEMQ_STORAGE_DEVICE      = var.activemq_storage_device
+  ACTIVEMQ_MOUNT_POINT         = var.activemq_mount_point
+
+  # Control plane for applying the StorageClass to Kubernetes
+  CONTROL_PLANE_HOST = [for instance in module.aws-resource-creation.K8S_CLUSTER_PRIVATE_IPS : instance][0]
+  CONTROL_PLANE_USER = "ubuntu"
+}
diff --git a/terraform/modules/aws/aws-resource-creation/variables.tf b/terraform/modules/aws/aws-resource-creation/variables.tf
index e2e41088..e8624908 100644
--- a/terraform/modules/aws/aws-resource-creation/variables.tf
+++ b/terraform/modules/aws/aws-resource-creation/variables.tf
@@ -46,6 +46,16 @@ variable "ZONE_ID" { type = string }
 variable "NGINX_NODE_ROOT_VOLUME_SIZE" { type = number }
 variable "NGINX_NODE_EBS_VOLUME_SIZE" { type = number }
 variable "NGINX_NODE_EBS_VOLUME_SIZE_2" { type = number }
+variable "NGINX_NODE_EBS_VOLUME_SIZE_3" {
+  type        = number
+  default     = 0
+  description = "EBS volume size (GB) for ActiveMQ data on the NGINX node — set to 0 to disable"
+}
+variable "enable_activemq_setup" {
+  description = "Enable ActiveMQ EBS volume setup on the NGINX node"
+  type        = bool
+  default     = false
+}
 variable "K8S_INSTANCE_ROOT_VOLUME_SIZE" { type = number }
 
 variable "DNS_RECORDS" {
@@ -169,6 +179,17 @@ EOF
         Cluster   = var.CLUSTER_NAME
         Component = var.CLUSTER_NAME
       }
+      }] : [], var.enable_activemq_setup && var.NGINX_NODE_EBS_VOLUME_SIZE_3 > 0 ? [{
+      device_name           = "/dev/sdd"
+      volume_size           = var.NGINX_NODE_EBS_VOLUME_SIZE_3
+      volume_type           = "gp3"
+      delete_on_termination = true
+      encrypted             = false
+      tags = {
+        Name      = "${local.TAG_NAME.NGINX_TAG_NAME}-vol3"
+        Cluster   = var.CLUSTER_NAME
+        Component = var.CLUSTER_NAME
+      }
     }] : [])
   }
   K8S_EC2_NODE = {
diff --git a/terraform/modules/aws/variables.tf b/terraform/modules/aws/variables.tf
index 7cfbe659..f6c96359 100644
--- a/terraform/modules/aws/variables.tf
+++ b/terraform/modules/aws/variables.tf
@@ -197,4 +197,39 @@ variable "mosip_infra_branch" {
   description = "Branch of the MOSIP infrastructure repository"
   type        = string
   default     = "develop"
-}
\ No newline at end of file
+}
+
+# ActiveMQ Configuration Variables
+variable "enable_activemq_setup" {
+  description = "Enable ActiveMQ EBS volume setup on the NGINX node"
+  type        = bool
+  default     = false
+}
+
+variable "nginx_node_ebs_volume_size_3" {
+  description = "EBS volume size (GB) for ActiveMQ data on the NGINX node — set to 0 to disable"
+  type        = number
+  default     = 0
+}
+
+variable "activemq_storage_device" {
+  description = "Block device path of the 3rd EBS volume for ActiveMQ"
+  type        = string
+  default     = "/dev/nvme3n1"
+
+  validation {
+    condition     = can(regex("^/dev/.+$", var.activemq_storage_device))
+    error_message = "activemq_storage_device must be a valid device path starting with /dev/ (e.g., /dev/nvme3n1 or /dev/disk/by-id/nvme-volume-id)."
+  }
+}
+
+variable "activemq_mount_point" {
+  description = "Mount point for ActiveMQ persistent storage"
+  type        = string
+  default     = "/srv/activemq"
+
+  validation {
+    condition     = can(regex("^/([A-Za-z0-9._-]+)(/.*)?$", var.activemq_mount_point))
+    error_message = "activemq_mount_point must be a valid absolute directory path (e.g., /srv/activemq)."
+  }
+}