diff --git a/.github/actions/install-yq/action.yml b/.github/actions/install-yq/action.yml
new file mode 100644
index 000000000..f2970154f
--- /dev/null
+++ b/.github/actions/install-yq/action.yml
@@ -0,0 +1,15 @@
+name: "Install yq"
+description: "Install yq from source"
+inputs:
+  version:
+    description: "yq version"
+    default: v4.44.3
+  arch:
+    description: "host arch"
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: install yq
+      shell: bash
+      run: curl -fsL https://github.com/mikefarah/yq/releases/download/${{ inputs.version }}/yq_linux_${{ inputs.arch }}.tar.gz | tar xz && mv yq_linux_${{ inputs.arch }} /usr/bin/yq
\ No newline at end of file
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 183cfb8eb..bb92c95ee 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -28,8 +28,8 @@ jobs:
       matrix:
         archBox:
         - { arch: amd64, vmArch: x64 }
-        - { arch: arm64, vmArch: arm64 }
-    runs-on: runs-on,runner=1cpu-linux-${{ matrix.archBox.vmArch }},run-id=${{ github.run_id }}
+#        - { arch: arm64, vmArch: arm64 }
+    runs-on: repo-webhook-runner-dind
     steps:
       - name : Checkout repository
         # https://github.com/actions/checkout/releases/tag/v4.1.1
@@ -40,6 +40,10 @@ jobs:
         uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version-file: 'go.mod'
+      - name: install yq
+        uses: ./.github/actions/install-yq
+        with:
+          arch: ${{ matrix.archBox.arch }}
 
       # TODO: Pull this next one out once there's a helm-release for rancher 2.9
       - name: Checkout rancher/rancher and build the chart
@@ -85,5 +89,5 @@ jobs:
         env:
           ARCH: "${{ matrix.archBox.arch }}"
           CLUSTER_NAME: webhook
-          IMAGE_REPO: rancher/webhook
+          IMAGE_REPO: cnrancher/webhook
           IMAGE_TAG: "${{ env.IMAGE_TAG }}"
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 77bfaa44a..f73440530 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -11,12 +11,14 @@ permissions:
 
 env:
   REGISTRY: docker.io
-  REPO: rancher
+  REPO: cnrancher
 
 jobs:
   build:
     name: build and package
     runs-on: ubuntu-latest
+    env:
+      OAUTH_TOKEN: ${{ secrets.GH_TOKEN }}
     strategy:
       matrix:
         arch:
@@ -96,7 +98,7 @@ jobs:
         cd dist/artifacts
         gh --repo "${{ github.repository }}" release create ${{ github.ref_name }} --prerelease --verify-tag --generate-notes webhook-linux-* sha256sum-*.txt rancher-webhook*.tgz
       env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
 
   image:
     permissions:
@@ -128,13 +130,6 @@ jobs:
           cp -v dist/artifacts/webhook-linux-${{ matrix.arch }} bin/webhook
           chmod +x bin/webhook
 
-      - name: "Read vault secrets"
-        uses: rancher-eio/read-vault-secrets@main
-        with:
-          secrets: |
-            secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ;
-            secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD
-
       - name: Set up QEMU
         # https://github.com/docker/setup-qemu-action/releases/tag/v3.1.0
         uses: docker/setup-qemu-action@5927c834f5b4fdf503fca6f4c7eccda82949e1ee # v3.1.0
@@ -148,8 +143,8 @@ jobs:
         uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
         with:
           registry: ${{ env.REGISTRY }}
-          username: ${{ env.DOCKER_USERNAME }}
-          password: ${{ env.DOCKER_PASSWORD }}
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
 
       - name: Build and push the webhook image
         id: build
@@ -194,20 +189,13 @@ jobs:
         uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0
         # https://github.com/docker/setup-buildx-action/releases/tag/v3.4.0
 
-      - name: "Read vault secrets"
-        uses: rancher-eio/read-vault-secrets@main
-        with:
-          secrets: |
-            secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ;
-            secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD
-
       - name: Log in to the Container registry
         uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
         # https://github.com/docker/login-action/releases/tag/v3.2.0
         with:
           registry: ${{ env.REGISTRY }}
-          username: ${{ env.DOCKER_USERNAME }}
-          password: ${{ env.DOCKER_PASSWORD }}
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
 
         # setup tag name
       - if: ${{ startsWith(github.ref, 'refs/tags/') }}
diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml
deleted file mode 100644
index abade6bf5..000000000
--- a/.github/workflows/renovate.yml
+++ /dev/null
@@ -1,25 +0,0 @@
-name: Renovate
-on:
-  workflow_dispatch:
-    inputs:
-      logLevel:
-        description: "Override default log level"
-        required: false
-        default: "info"
-        type: string
-      overrideSchedule:
-        description: "Override all schedules"
-        required: false
-        default: "false"
-        type: string
-  # Run twice in the early morning (UTC) for initial and follow up steps (create pull request and merge)
-  schedule:
-    - cron: '30 4,6 * * *'
-
-jobs:
-  call-workflow:
-    uses: rancher/renovate-config/.github/workflows/renovate.yml@release
-    with:
-      logLevel: ${{ inputs.logLevel || 'info' }}
-      overrideSchedule: ${{ github.event.inputs.overrideSchedule == 'true' && '{''schedule'':null}' || '' }}
-    secrets: inherit
diff --git a/Dockerfile.dapper b/Dockerfile.dapper
index 87da7f48b..13f96ca2c 100644
--- a/Dockerfile.dapper
+++ b/Dockerfile.dapper
@@ -17,7 +17,7 @@ RUN if [ "${ARCH}" = "amd64" ]; then \
 
 RUN GOBIN=/usr/local/bin go install go.uber.org/mock/mockgen@v0.5.0
 
-ENV DAPPER_ENV REPO TAG CROSS
+ENV DAPPER_ENV REPO TAG CROSS OAUTH_TOKEN
 ENV DAPPER_SOURCE /go/src/github.com/rancher/webhook/
 ENV DAPPER_OUTPUT ./bin ./dist
 ENV DAPPER_DOCKER_SOCKET true
diff --git a/go.mod b/go.mod
index 67cb459bc..5bc7c9c64 100644
--- a/go.mod
+++ b/go.mod
@@ -5,6 +5,7 @@ go 1.22.0
 toolchain go1.22.7
 
 replace (
+	github.com/rancher/rancher/pkg/apis => github.com/cnrancher/pandaria/pkg/apis v0.0.0-20241125085519-4a8d505e5d2e
 	github.com/rancher/rke => github.com/rancher/rke v1.6.2
 	k8s.io/api => k8s.io/api v0.31.1
 	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.31.1
@@ -70,6 +71,9 @@ require (
 	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/cnrancher/ack-operator v0.0.5-0.20240709124229-11f7682e76c8 // indirect
+	github.com/cnrancher/cce-operator v0.4.7-0.20240711035457-e0c05380e64b // indirect
+	github.com/cnrancher/tke-operator v0.0.0-20240709040941-2b6bd9b720ba // indirect
 	github.com/coreos/go-semver v0.3.1 // indirect
 	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
diff --git a/go.sum b/go.sum
index b79cf7ee2..4c14d3f7b 100644
--- a/go.sum
+++ b/go.sum
@@ -14,6 +14,14 @@ github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK3
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/cnrancher/ack-operator v0.0.5-0.20240709124229-11f7682e76c8 h1:DVoniXZBmUHZDXNIoQNc3cLsVCYtw5PssKeGUCTA9bY=
+github.com/cnrancher/ack-operator v0.0.5-0.20240709124229-11f7682e76c8/go.mod h1:hiokdx7XD3hCThaqVVabaEKpac7+CEiIRj+z3nxUddM=
+github.com/cnrancher/cce-operator v0.4.7-0.20240711035457-e0c05380e64b h1:XxHt9fQGcBcWZC/n08apXxYDiSHbGwh/5bDkus3xsD0=
+github.com/cnrancher/cce-operator v0.4.7-0.20240711035457-e0c05380e64b/go.mod h1:X3kFtm/chlzFBS8EQUM2OSqPi1xEvFjhCIZ+RWkRmNM=
+github.com/cnrancher/pandaria/pkg/apis v0.0.0-20241125085519-4a8d505e5d2e h1:ot5GfkISk6dX7TLsuKI5KkiG1hawMRvy+kNuIAdBMcc=
+github.com/cnrancher/pandaria/pkg/apis v0.0.0-20241125085519-4a8d505e5d2e/go.mod h1:zrFZ42CIcdMduSPFfoo81+dW2hN/cW9K4xjdgulv1KY=
+github.com/cnrancher/tke-operator v0.0.0-20240709040941-2b6bd9b720ba h1:Y1r4u39Br5a4Rmav/8LqFREqxNb9OhS/HSKDM+dZLiI=
+github.com/cnrancher/tke-operator v0.0.0-20240709040941-2b6bd9b720ba/go.mod h1:1p27hIbz+pIyJ8U0hgxBJ0Wjujf3fKeSd/lNbn3gHuM=
 github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr4=
 github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec=
 github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
@@ -160,8 +168,6 @@ github.com/rancher/lasso v0.0.0-20240924233157-8f384efc8813 h1:V/LY8pUHZG9Kc+xED
 github.com/rancher/lasso v0.0.0-20240924233157-8f384efc8813/go.mod h1:IxgTBO55lziYhTEETyVKiT8/B5Rg92qYiRmcIIYoPgI=
 github.com/rancher/norman v0.0.0-20241001183610-78a520c160ab h1:ihK6See3y/JilqZlc0CG7NXPN+ue5nY9U7xUZUA8M7I=
 github.com/rancher/norman v0.0.0-20241001183610-78a520c160ab/go.mod h1:qX/OG/4wY27xSAcSdRilUBxBumV6Ey2CWpAeaKnBQDs=
-github.com/rancher/rancher/pkg/apis v0.0.0-20241107150810-8b9e1881ab4b h1:KwXK3otsV/P2Pi/oqmXJjUU8vKbLrjFLY31lQF0MFCo=
-github.com/rancher/rancher/pkg/apis v0.0.0-20241107150810-8b9e1881ab4b/go.mod h1:JQDXc3nYZGsnjLxEyoaTH39wfYKoCLL1gdQe6ShOHNQ=
 github.com/rancher/rke v1.6.2 h1:ttGk77t5oe7bsiS7s7SOFmAl3PALYI5M2SQQenjKevk=
 github.com/rancher/rke v1.6.2/go.mod h1:5xRbf3L8PxqJRhABjYRfaBqbpVqAnqyH3maUNQEuwvk=
 github.com/rancher/wrangler/v3 v3.1.0 h1:8ETBnQOEcZaR6WBmUSysWW7WnERBOiNTMJr4Dj3UG/s=
diff --git a/scripts/build b/scripts/build
index fd6df0ce2..11b22f8f6 100755
--- a/scripts/build
+++ b/scripts/build
@@ -9,10 +9,15 @@ mkdir -p bin
 if [ "$(uname)" = "Linux" ]; then
     OTHER_LINKFLAGS="-extldflags -static -s"
 fi
+
+if [ "$OAUTH_TOKEN" != "" ]; then
+   git config --global url."https://${OAUTH_TOKEN}:x-oauth-basic@github.com/".insteadOf "https://github.com/"
+fi
+
 LINKFLAGS="-X main.Version=$VERSION"
 LINKFLAGS="-X main.GitCommit=$COMMIT $LINKFLAGS"
 CGO_ENABLED=0 go build -ldflags "$LINKFLAGS $OTHER_LINKFLAGS" -o bin/webhook
 if [ "$CROSS" = "true" ] && [ "$ARCH" = "amd64" ]; then
-    GOOS=darwin go build -ldflags "$LINKFLAGS" -o bin/webhook-darwin
-    GOOS=windows go build -ldflags "$LINKFLAGS" -o bin/webhook-windows-amd64.exe
+    GOOS=darwin GOPRIVATE="github.com/cnrancher" go build -ldflags "$LINKFLAGS" -o bin/webhook-darwin
+    GOOS=windows GOPRIVATE="github.com/cnrancher" go build -ldflags "$LINKFLAGS" -o bin/webhook-windows-amd64.exe
 fi
diff --git a/scripts/package b/scripts/package
index 6ba0f840c..eb5854f4a 100755
--- a/scripts/package
+++ b/scripts/package
@@ -14,7 +14,7 @@ for i in bin/webhook-*; do
         cp $i dist/artifacts
     fi
 done
-REPO=rancher
+REPO=cnrancher
 
 IMAGE=${REPO}/webhook:${TAG}
 DOCKERFILE=./package/Dockerfile