diff --git a/terraform/Makefile b/terraform/Makefile
index 3ae0e7d1..bd495c5c 100644
--- a/terraform/Makefile
+++ b/terraform/Makefile
@@ -88,6 +88,7 @@ create: init
 		echo "Management cluster with prefix $(PREFIX) already exists. This is not supported due to unexpected side-effects." && exit 1; \
 	else \
 		touch .deploy.$(ENVIRONMENT); \
+		unset SSH_AUTH_SOCK; \
 		tofu apply -auto-approve -var-file="environments/environment-$(ENVIRONMENT).tfvars" -var "git_reference=$(GITREFERENCE)" -var "git_repo=$(GITREPO)"; \
 	fi
 
@@ -96,6 +97,7 @@ show: init
 
 clean: init
 	@if test -e ./.deploy.MGMTCLUSTER_ADDRESS.$(ENVIRONMENT); then source ./.deploy.MGMTCLUSTER_ADDRESS.$(ENVIRONMENT); \
+	unset SSH_AUTH_SOCK; \
 	ssh -o StrictHostKeyChecking=no -i .deploy.id_rsa.$(ENVIRONMENT) $(USERNAME)@$$MGMTCLUSTER_ADDRESS "timeout 320 ~/bin/cleanup.sh || true"; fi
 	tofu destroy -auto-approve -var-file="environments/environment-$(ENVIRONMENT).tfvars" $(PARAMS)
 	@tofu workspace select default
@@ -140,12 +142,14 @@ list: init
 
 ssh: .deploy.MGMTCLUSTER_ADDRESS.$(ENVIRONMENT) .deploy.id_rsa.$(ENVIRONMENT)
 	@source ./.deploy.MGMTCLUSTER_ADDRESS.$(ENVIRONMENT); \
+	unset SSH_AUTH_SOCK; \
 	ssh -o StrictHostKeyChecking=no -i .deploy.id_rsa.$(ENVIRONMENT) $(USERNAME)@$$MGMTCLUSTER_ADDRESS
 
 login: ssh
 
 get-kubeconfig: .deploy.MGMTCLUSTER_ADDRESS.$(ENVIRONMENT) .deploy.id_rsa.$(ENVIRONMENT)
 	@source ./.deploy.MGMTCLUSTER_ADDRESS.$(ENVIRONMENT); \
+	unset SSH_AUTH_SOCK; \
 	scp -o StrictHostKeyChecking=no -i .deploy.id_rsa.$(ENVIRONMENT) $(USERNAME)@$$MGMTCLUSTER_ADDRESS:.kube/config .kubeconfig.$(ENVIRONMENT); \
 	scp -o StrictHostKeyChecking=no -i .deploy.id_rsa.$(ENVIRONMENT) $(USERNAME)@$$MGMTCLUSTER_ADDRESS:$(TESTCLUSTER)/$(TESTCLUSTER).yaml $(TESTCLUSTER).yaml.$(ENVIRONMENT); \
 	scp -o StrictHostKeyChecking=no -i .deploy.id_rsa.$(ENVIRONMENT) $(USERNAME)@$$MGMTCLUSTER_ADDRESS:$(TESTCLUSTER)/clusterctl.yaml clusterctl.$(TESTCLUSTER).yaml.$(ENVIRONMENT); \
@@ -155,6 +159,7 @@ get-kubeconfig: .deploy.MGMTCLUSTER_ADDRESS.$(ENVIRONMENT) .deploy.id_rsa.$(ENVI
 
 deploy: .deploy.MGMTCLUSTER_ADDRESS.$(ENVIRONMENT) .deploy.id_rsa.$(ENVIRONMENT)
 	@source ./.deploy.MGMTCLUSTER_ADDRESS.$(ENVIRONMENT); \
+	unset SSH_AUTH_SOCK; \
 	ssh -o StrictHostKeyChecking=no -i .deploy.id_rsa.$(ENVIRONMENT) $(USERNAME)@$$MGMTCLUSTER_ADDRESS "~/bin/deploy_cluster_api.sh"
 
 log: .deploy.$(ENVIRONMENT)
@@ -178,6 +183,7 @@ console: .deploy.$(ENVIRONMENT)
 
 check: .deploy.MGMTCLUSTER_ADDRESS.$(ENVIRONMENT) .deploy.id_rsa.$(ENVIRONMENT)
 	@source ./.deploy.MGMTCLUSTER_ADDRESS.$(ENVIRONMENT); \
+	unset SSH_AUTH_SOCK; \
 	ssh -o StrictHostKeyChecking=no -i .deploy.id_rsa.$(ENVIRONMENT) $(USERNAME)@$$MGMTCLUSTER_ADDRESS "~/bin/sonobuoy.sh $(TESTCLUSTER) $(SONOMODE)"
 
 # Pass SONOMODE="--mode quick" for a quick check
@@ -204,6 +210,7 @@ watch: .deploy.id_rsa.$(ENVIRONMENT) .deploy.MGMTCLUSTER_ADDRESS.$(ENVIRONMENT)
 	  YELLOW=$$(echo -e "\e[0;33m"); \
 	  NORM=$$(echo -e "\e[0;0m"); \
 	fi; \
+	unset SSH_AUTH_SOCK; \
 	while true; do \
 		LEN=$$(ssh -o StrictHostKeyChecking=no -i .deploy.id_rsa.$(ENVIRONMENT) $(USERNAME)@$$MGMTCLUSTER_ADDRESS "sudo wc -l /var/log/cloud-init-output.log 2>/dev/null"); \
 		LEN=$${LEN%% *}; \
@@ -228,11 +235,13 @@ openstack: init
 
 k9s: .deploy.MGMTCLUSTER_ADDRESS.$(ENVIRONMENT) .deploy.id_rsa.$(ENVIRONMENT)
 	@source ./.deploy.MGMTCLUSTER_ADDRESS.$(ENVIRONMENT); \
+	unset SSH_AUTH_SOCK; \
 	ssh -t -o StrictHostKeyChecking=no -i .deploy.id_rsa.$(ENVIRONMENT) $(USERNAME)@$$MGMTCLUSTER_ADDRESS \
 	"KUBECONFIG=/home/$(USERNAME)/.kube/config:/home/$(USERNAME)/$(TESTCLUSTER)/$(TESTCLUSTER).yaml k9s --all-namespaces"
 
 deploy-cso: .deploy.MGMTCLUSTER_ADDRESS.$(ENVIRONMENT) .deploy.id_rsa.$(ENVIRONMENT)
 	@source ./.deploy.MGMTCLUSTER_ADDRESS.$(ENVIRONMENT); \
+	unset SSH_AUTH_SOCK; \
 	ssh -t -o StrictHostKeyChecking=no -i .deploy.id_rsa.$(ENVIRONMENT) $(USERNAME)@$$MGMTCLUSTER_ADDRESS \
 	"GIT_ACCESS_TOKEN=$(GIT_ACCESS_TOKEN) envsubst '\$${GIT_ACCESS_TOKEN}' < /home/$(USERNAME)/kubernetes-manifests.d/cso.yaml | KUBECONFIG=/home/$(USERNAME)/.kube/config kubectl --context kind-kind apply -f -"
 
diff --git a/terraform/files/bin/bootstrap.sh b/terraform/files/bin/bootstrap.sh
index 5826db2a..95260ff0 100755
--- a/terraform/files/bin/bootstrap.sh
+++ b/terraform/files/bin/bootstrap.sh
@@ -74,12 +74,22 @@ source ~/.kube-ps1/kube-ps1.sh
 PS1="\${PS1%\\\\\$ } \\\$(kube_ps1) [\\\$?]\\\$ "
 # We may do git commits and nano feels unusual ...
 export VISUAL=/usr/bin/vim
+
+# clusterctl beta features
+export CLUSTER_TOPOLOGY=true
+export EXP_CLUSTER_RESOURCE_SET=true
+
+# CSO settings
+export GIT_PROVIDER_B64=$(echo -n "github" | base64 -w0)
+export GIT_ORG_NAME_B64=$(echo -n "SovereignCloudStack" | base64 -w0)
+export GIT_REPOSITORY_NAME_B64=$(echo -n "cluster-stacks" | base64 -w0)
+# export GIT_ACCESS_TOKEN_B64=\$(echo -n "\$GIT_ACCESS_TOKEN" | base64 -w0)
 # eof
 EOF
 
 # openstack completion
 openstack complete > ~/.bash_openstack 2>/dev/null
-echo -e "#openstack completion\nsource ~/.bash_openstack" >> ~/.bash_aliases
+echo -e "#openstack complete\nsource ~/.bash_openstack" >> ~/.bash_aliases
 
 # set inputrc set tab once
 cat <<EOF > .inputrc
diff --git a/terraform/files/bin/install_cspo.sh b/terraform/files/bin/install_cspo.sh
new file mode 100755
index 00000000..81e23599
--- /dev/null
+++ b/terraform/files/bin/install_cspo.sh
@@ -0,0 +1,209 @@
+#!/bin/bash
+#
+# Bootstrap Cluster Stacks on a KaaS v1 management host
+#
+# Usage: install_cspo.sh [csponame [clusterns]]
+# Defaults to cspo and cluster
+#
+# Needs OS_CLOUD to be set to your target cloud project
+#
+# (c) Kurt Garloff <garloff@osb-alliance.com>, 3/2024
+# SPDX-License-Identifier: ASL-2.0
+NAME=${1:-cspo}
+CLUSTER=${2:-cluster}
+cd
+. ~/.capi-settings
+if test -e ~/.bash_aliases; then . ~/.bash_aliases; fi
+# Check out repos
+test_or_update()
+{
+	if test -d $1; then
+		cd $1
+		git pull
+		cd
+	else
+		git clone https://github.com/SovereignCloudStack/$1
+	fi
+}	
+test_or_update cluster-stacks
+test_or_update cluster-stack-operator
+test_or_update cluster-stack-provider-openstack
+# envsubst helper (please always call with full path, as there is a name conflict)
+ENVSUBST=/usr/local/bin/envsubst
+if test ! -x $ENVSUBST; then
+	sudo apt-get -y install golang-go
+	mkdir -p ~/tmp
+	GOBIN=~/tmp go install github.com/drone/envsubst/v2/cmd/envsubst@latest
+	sudo mv ~/tmp/envsubst $ENVSUBST
+fi
+# Deploy CSO and CSPO
+if test -z "$GIT_PROVIDER_B64"; then
+	echo "Please add GIT_[PROVIDER|ORG_NAME_REPOSITORY_NAME|ACCESS_TOKEN]_B64 to ~/.bash_aliases, see bootstrap.sh" 1>&2
+	exit 1
+fi
+if test -z "$GIT_ACCESS_TOKEN_B64"; then
+	echo "Please set GIT_ACCESS_TOKEN_B64 in your ~/.bash_aliases" 1>&2
+	exit 1
+fi
+# CSO manifests
+EXTID=$(openstack network list --external -f value -c ID | head -n1)
+mkdir -p $NAME
+cd $NAME
+CSO_VERSION=$(curl https://api.github.com/repos/SovereignCloudStack/cluster-stack-operator/releases/latest -s | jq .name -r)
+curl -sSLO https://github.com/sovereignCloudStack/cluster-stack-operator/releases/download/${CSO_VERSION}/cso-infrastructure-components.yaml
+# CSPO manifests
+CSPO_VERSION=$(curl https://api.github.com/repos/SovereignCloudStack/cluster-stack-provider-openstack/releases/latest -s | jq .name -r)
+curl -sSLO https://github.com/sovereignCloudStack/cluster-stack-provider-openstack/releases/download/${CSPO_VERSION}/cspo-infrastructure-components.yaml
+$ENVSUBST < cso-infrastructure-components.yaml | kubectl apply -f -
+$ENVSUBST < cspo-infrastructure-components.yaml | kubectl apply -f -
+# Prepare for cluster templates
+# Create clouds.yaml (with app credential)
+if test ! -r clouds.yaml; then
+	#APPCREDS=$(openstack application credential list -f value -c ID -c Name -c "Project ID")
+	APPCRED=$(openstack application credential show $PREFIX-$NAME  >/dev/null)
+	if test $? = 0; then
+		echo "App Cred $PREFIX-CSPO exists, but no clouds.yaml, please delete it" 1>&2
+		exit 2
+	fi
+	# restricted AppCred should be OK, as we don't create dependant Sub-AppCreds, so no --unsrestricted
+	NEWCRED=$(openstack application credential create "$PREFIX-$NAME" --description "App Cred $PREFIX for $NAME" -f value -c id -c project_id -c secret)
+	if test $? != 0; then
+		echo "Application Credential generation failed." 1>&2
+		exit 2
+	fi
+	read APPCRED_ID APPCRED_PRJ APPCRED_SECRET < <(echo $NEWCRED)
+	echo "#Created AppCred $APPCRED_ID"
+	AUTH_URL=$(print-cloud.py | yq eval .clouds.${OS_CLOUD}.auth.auth_url -)
+	REGION=$(print-cloud.py | yq eval .clouds.${OS_CLOUD}.region_name -)
+	CACERT=$(print-cloud.py | yq eval '.clouds."'"$OS_CLOUD"'".cacert // "null"' -)
+	# In theory we could also make interface and id_api_vers variable,
+	# but let's do that once we find the necessity. Error handling makes
+	# it slightly complex, so it's not an obvious win.
+	cat >clouds.yaml <<EOT
+clouds:
+  #$PREFIX-$NAME:
+  openstack:
+    interface: public
+    identity_api_version: 3
+    region_name: $REGION
+    cacert: $CACERT
+    auth_type: "v3applicationcredential"
+    auth:
+      auth_url: $AUTH_URL
+      #project_id: $APPCRED_PRJ
+      application_credential_id: $APPCRED_ID
+      application_credential_secret: "$APPCRED_SECRET"
+EOT
+	if test "$CACERT" == "null"; then
+		sed -i '/    cacert:/d' clouds.yaml
+	fi
+	# And remove secret from env
+	unset APPCRED_SECRET NEWCRED
+fi
+chmod 0640 clouds.yaml
+# export OS_CLOUD=openstack
+# Create secret from clouds.yaml
+#curl -sSL https://github.com/SovereignCloudStack/cluster-stacks/releases/download/openstack-alpha-1-28-v3/csp-helper-chart.tgz | tar xv
+#rm -f openstack-csp-helper/templates/namespace.yaml
+curl -sSL https://github.com/SovereignCloudStack/openstack-csp-helper/releases/download/latest/openstack-csp-helper.tgz | tar xv
+# Replace namespace
+sed -i "/^{{\\- if include \"isAppCredential\" \\. \\-}}/{n
+i$CLUSTER
+d
+}" openstack-csp-helper/templates/_helpers.tpl
+# kubectl create ns $CLUSTER	# Not needed, helm csp-helper does it
+helm upgrade --create-namespace -n $CLUSTER -i $CLUSTER-credentials openstack-csp-helper -f clouds.yaml >/dev/null
+# Store an example cluster-stack
+# Note: These should preferably be taken from the checked out repos.
+# Currently, we use the content from https://input.scs.community/_HeOTRCRSu2Uf2SfMSoOkQ?both#
+cat > clusterstack-alpha-1-29-v3-$CLUSTER.yaml <<EOT
+apiVersion: clusterstack.x-k8s.io/v1alpha1
+kind: ClusterStack
+metadata:
+  name: clusterstack
+  namespace: $CLUSTER
+spec:
+  provider: openstack
+  name: alpha
+  kubernetesVersion: "1.29"
+  channel: stable
+  autoSubscribe: false
+  providerRef:
+    apiVersion: infrastructure.clusterstack.x-k8s.io/v1alpha1
+    kind: OpenStackClusterStackReleaseTemplate
+    name: cspotemplate
+  versions:
+    - v3
+---
+apiVersion: infrastructure.clusterstack.x-k8s.io/v1alpha1
+kind: OpenStackClusterStackReleaseTemplate
+metadata:
+  name: cspotemplate
+  namespace: $CLUSTER
+spec:
+  template:
+    spec:
+      identityRef:
+        kind: Secret
+        name: openstack
+EOT
+# No longer needed (part of openstack-csp-helper now)
+cat >clusterresourceset-secret-$CLUSTER.yaml <<EOT
+apiVersion: addons.cluster.x-k8s.io/v1beta1
+kind: ClusterResourceSet
+metadata:
+ name: crs-openstack-secret
+ namespace: $CLUSTER
+spec:
+ strategy: "Reconcile"
+ clusterSelector:
+   matchLabels:
+     managed-secret: cloud-config
+ resources:
+   - name: openstack-workload-cluster-secret
+     kind: Secret
+EOT
+cat >cluster-alpha-1-29-v3-$CLUSTER.yaml <<EOT
+apiVersion: cluster.x-k8s.io/v1beta1
+kind: Cluster
+metadata:
+  name: cs-$CLUSTER
+  namespace: $CLUSTER
+  labels:
+    managed-secret: cloud-config
+spec:
+  clusterNetwork:
+    pods:
+      cidrBlocks:
+        - 192.168.0.0/16
+    serviceDomain: cluster.local
+    services:
+      cidrBlocks:
+        - 10.96.0.0/12
+  topology:
+    variables:
+      - name: controller_flavor
+        value: "SCS-2V-4-20s"
+      - name: worker_flavor
+        value: "SCS-2V-8-50"
+      - name: external_id
+        value: "$EXTID"
+    class: openstack-alpha-1-29-v3
+    controlPlane:
+      replicas: 1
+    version: v1.29.3
+    workers:
+      machineDeployments:
+        - class: openstack-alpha-1-29-v3
+          failureDomain: nova
+          name: openstack-alpha-1-29-v3
+          replicas: 3
+EOT
+#kubectl apply -f clusterresourceset-secret-$CLUSTER.yaml
+echo "# Perform these to create a workload cluster (after editing as desired) ..."
+echo "kubectl apply -f ~/$NAME/clusterstack-alpha-1-29-v3-$CLUSTER.yaml"
+echo "kubectl apply -f ~/$NAME/cluster-alpha-1-29-v3-$CLUSTER.yaml"
+# FIXME: Code from create_cluster.sh would help here ...
+echo "# Wait for cluster to be ready ..."
+echo "clusterctl -n $CLUSTER get kubeconfig cs-$CLUSTER > ~/$NAME/cs-$CLUSTER.yaml"
+
diff --git a/terraform/files/bin/prepare_openstack.sh b/terraform/files/bin/prepare_openstack.sh
index 3082e6eb..bda407c1 100755
--- a/terraform/files/bin/prepare_openstack.sh
+++ b/terraform/files/bin/prepare_openstack.sh
@@ -9,6 +9,7 @@ sudo patch -p2 -N -d /usr/lib/python3/dist-packages/keystoneauth1 < /tmp/fix-key
 
 # convenience
 echo "export OS_CLOUD=\"$OS_CLOUD\"" >> $HOME/.bash_aliases
+echo "export CLIFF_FIT_WIDTH=1" >> $HOME/.bash_aliases
 
 # Determine project ID and inject into cloud.conf
 PROJECTID=$(openstack application credential show "${PREFIX}-appcred" -f value -c project_id)