diff --git a/charts/sn-platform-slim/conf/toolset/pulsar/clean_tls.sh b/charts/sn-platform-slim/conf/toolset/pulsar/clean_tls.sh
new file mode 100755
index 000000000..884cc383e
--- /dev/null
+++ b/charts/sn-platform-slim/conf/toolset/pulsar/clean_tls.sh
@@ -0,0 +1,115 @@
+#!/usr/bin/env bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+set -e
+
+CHART_HOME=$(unset CDPATH && cd $(dirname "${BASH_SOURCE[0]}")/../.. && pwd)
+cd ${CHART_HOME}
+
+namespace=${namespace:-pulsar}
+release=${release:-pulsar-dev}
+clientComponents=${clientComponents:-"toolset"}
+serverComponents=${serverComponents:-"bookie,broker,proxy,recovery,zookeeper"}
+
+usage() {
+    cat <<EOF
+This script is used to delete tls certs for a given pulsar helm deployment generated by "upload_tls.sh".
+Options:
+       -h,--help                        prints the usage message
+       -n,--namespace                   the k8s namespace to install the pulsar helm chart. Defaut to ${namespace}.
+       -k,--release                     the pulsar helm release name. Default to ${release}.
+       -c,--client-components           the client components of pulsar cluster. a comma separated list of components. Default to ${clientComponents}.
+       -s,--server-components           the server components of pulsar cluster. a comma separated list of components. Default to ${serverComponents}.
+Usage:
+    $0 --namespace pulsar --release pulsar-dev
+EOF
+}
+
+while [[ $# -gt 0 ]]
+do
+key="$1"
+
+case $key in
+    -n|--namespace)
+    namespace="$2"
+    shift
+    shift
+    ;;
+    -k|--release)
+    release="$2"
+    shift
+    shift
+    ;;
+    -c|--client-components)
+    clientComponents="$2"
+    shift
+    shift
+    ;;
+    -s|--server-components)
+    serverComponents="$2"
+    shift
+    shift
+    ;;
+    -h|--help)
+    usage
+    exit 0
+    ;;
+    *)
+    echo "unknown option: $key"
+    usage
+    exit 1
+    ;;
+esac
+done
+
+function delete_ca() {
+    local tls_ca_secret="${release}-ca-tls"
+    /pulsar/kubectl delete secret ${tls_ca_secret} -n ${namespace}
+}
+
+function delete_server_cert() {
+    local component=$1
+    local server_cert_secret="${release}-tls-${component}"
+
+    /pulsar/kubectl delete secret ${server_cert_secret} \
+        -n ${namespace}
+}
+
+function delete_client_cert() {
+    local component=$1
+    local client_cert_secret="${release}-tls-${component}"
+
+    /pulsar/kubectl delete secret ${client_cert_secret} \
+        -n ${namespace}
+}
+
+delete_ca
+
+IFS=', ' read -r -a server_components <<< "$serverComponents"
+for component in "${server_components[@]}"
+do
+    delete_server_cert ${component}
+done
+
+IFS=', ' read -r -a client_components <<< "$clientComponents"
+for component in "${client_components[@]}"
+do
+    delete_client_cert ${component}
+done
diff --git a/charts/sn-platform-slim/conf/toolset/pulsar/cleanup_helm_release.sh b/charts/sn-platform-slim/conf/toolset/pulsar/cleanup_helm_release.sh
new file mode 100755
index 000000000..76f7573ca
--- /dev/null
+++ b/charts/sn-platform-slim/conf/toolset/pulsar/cleanup_helm_release.sh
@@ -0,0 +1,87 @@
+#!/usr/bin/env bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+CHART_HOME=$(unset CDPATH && cd $(dirname "${BASH_SOURCE[0]}")/../.. && pwd)
+cd ${CHART_HOME}
+
+usage() {
+    cat <<EOF
+This script is used to cleanup the credentials for a given pulsar helm release. 
+Options:
+       -h,--help                        prints the usage message
+       -n,--namespace                   the k8s namespace to install the pulsar helm chart
+       -k,--release                     the pulsar helm release name
+       -d,--delete-namespace            flag to delete k8s namespace.
+Usage:
+    $0 --namespace pulsar --release pulsar-release
+EOF
+}
+
+
+while [[ $# -gt 0 ]]
+do
+key="$1"
+
+delete_namespace=false
+
+case $key in
+    -n|--namespace)
+    namespace="$2"
+    shift
+    shift
+    ;;
+    -d|--delete-namespace)
+    delete_namespace=true
+    shift
+    ;;
+    -k|--release)
+    release="$2"
+    shift
+    shift
+    ;;
+    -h|--help)
+    usage
+    exit 0
+    ;;
+    *)
+    echo "unknown option: $key"
+    usage
+    exit 1
+    ;;
+esac
+done
+
+namespace=${namespace:-pulsar}
+release=${release:-pulsar-dev}
+
+function delete_namespace() {
+    if [[ "${delete_namespace}" == "true" ]]; then
+        /pulsar/kubectl delete namespace ${namespace}
+    fi
+}
+
+# delete the cc admin secrets
+/pulsar/kubectl delete -n ${namespace} secret ${release}-admin-secret
+
+# delete tokens
+/pulsar/kubectl get secrets -n ${namespace} | grep ${release}-token- | awk '{print $1}' | xargs /pulsar/kubectl delete secrets -n ${namespace}
+
+# delete namespace
+delete_namespace
diff --git a/charts/sn-platform-slim/conf/toolset/pulsar/common.sh b/charts/sn-platform-slim/conf/toolset/pulsar/common.sh
new file mode 100755
index 000000000..5dd0262b6
--- /dev/null
+++ b/charts/sn-platform-slim/conf/toolset/pulsar/common.sh
@@ -0,0 +1,54 @@
+#!/bin/bash
+
+# Checks that appropriate gke params are set and
+# that gcloud and kubectl are properly installed and authenticated
+
+function need_tool(){
+  local tool="${1}"
+  local url="${2}"
+
+  echo >&2 "${tool} is required. Please follow ${url}"
+  exit 1
+}
+
+function need_gcloud(){
+  need_tool "gcloud" "https://cloud.google.com/sdk/downloads"
+}
+
+function need_kubectl(){
+  need_tool "kubectl" "https://kubernetes.io/docs/tasks/tools/install-kubectl"
+}
+
+function need_helm(){
+  need_tool "helm" "https://github.com/helm/helm/#install"
+}
+
+function need_eksctl(){
+  need_tool "eksctl" "https://eksctl.io"
+}
+
+function validate_gke_required_tools(){
+  if [ -z "$PROJECT" ]; then
+    echo "\$PROJECT needs to be set to your project id";
+    exit 1;
+  fi
+
+  for comm in gcloud kubectl helm
+  do
+    command  -v "${comm}" > /dev/null 2>&1 || "need_${comm}"
+  done
+
+  gcloud container clusters list --project $PROJECT >/dev/null 2>&1 || { echo >&2 "Gcloud seems to be configured incorrectly or authentication is unsuccessfull"; exit 1; }
+
+}
+
+function cluster_admin_password_gke(){
+  gcloud container clusters describe $CLUSTER_NAME --zone $ZONE --project $PROJECT --format='value(masterAuth.password)';
+}
+
+function validate_eks_required_tools(){
+  for comm in eksctl kubectl helm
+  do
+    command -v "${comm}" > /dev/null 2>&1 || "need_${comm}"
+  done
+}
diff --git a/charts/sn-platform-slim/conf/toolset/pulsar/common_auth.sh b/charts/sn-platform-slim/conf/toolset/pulsar/common_auth.sh
new file mode 100755
index 000000000..ede8c86eb
--- /dev/null
+++ b/charts/sn-platform-slim/conf/toolset/pulsar/common_auth.sh
@@ -0,0 +1,66 @@
+#!/usr/bin/env bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+if [ -z "$CHART_HOME" ]; then
+    echo "error: CHART_HOME should be initialized"
+    exit 1
+fi
+
+OUTPUT=${CHART_HOME}/output
+OUTPUT_BIN=${OUTPUT}/bin
+PULSARCTL_VERSION=v2.10.2.2
+PULSARCTL_BIN=/pulsar/bin/pulsarctl
+export PATH=${HOME}/.pulsarctl/plugins:${PATH}
+
+discoverArch() {
+  ARCH=$(uname -m)
+  case $ARCH in
+    x86) ARCH="386";;
+    x86_64) ARCH="amd64";;
+    i686) ARCH="386";;
+    i386) ARCH="386";;
+  esac
+}
+
+discoverArch
+OS=$(echo `uname`|tr '[:upper:]' '[:lower:]')
+
+test -d "$OUTPUT_BIN" || mkdir -p "$OUTPUT_BIN"
+
+function pulsar::verify_pulsarctl() {
+    if test -x "$PULSARCTL_BIN"; then
+        return
+    fi
+    return 1
+}
+
+function pulsar::ensure_pulsarctl() {
+    if pulsar::verify_pulsarctl; then
+        return 0
+    fi
+    echo "Get pulsarctl install.sh script ..."
+    install_script=$(mktemp)
+    trap "test -f $install_script && rm $install_script" RETURN
+    curl --retry 10 -L -o $install_script https://raw.githubusercontent.com/streamnative/pulsarctl/master/install.sh
+    chmod +x $install_script
+    $install_script --user --version ${PULSARCTL_VERSION}
+}
+
+
diff --git a/charts/sn-platform-slim/conf/toolset/pulsar/decommission_bookies.sh b/charts/sn-platform-slim/conf/toolset/pulsar/decommission_bookies.sh
new file mode 100755
index 000000000..55e2823f7
--- /dev/null
+++ b/charts/sn-platform-slim/conf/toolset/pulsar/decommission_bookies.sh
@@ -0,0 +1,96 @@
+#!/usr/bin/env bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+set -e
+
+CHART_HOME=$(unset CDPATH && cd $(dirname "${BASH_SOURCE[0]}")/../.. && pwd)
+cd ${CHART_HOME}
+
+usage() {
+    cat <<EOF
+This script is used to decommission a bookkeeper cluster.
+Options:
+       -h,--help                                prints the usage message
+       -n,--namespace                           the k8s namespace to run the bookkeeper cluster
+       -r,--replicas                            the number of bookies of the bookkeeper cluster
+       -s,--statefulset                         the name of the bookkeeper statefulset
+       -an,--autorecovery-namespace             the k8s namespace to run the bookkeeper autorecovery
+       -ap,--autorecovery-pod                   the pod name of the bookkeeper autorecovery pod
+Usage:
+    $0 -n old -r 3 -s old-cluster -an new -ap new-bookie-autorecovery
+EOF
+}
+
+while [[ $# -gt 0 ]]
+do
+key="$1"
+
+case $key in
+    -n|--namespace)
+    namespace="$2"
+    shift
+    shift
+    ;;
+    -r|--replicas)
+    replicas="$2"
+    shift
+    shift
+    ;;
+    -s|--statefulset)
+    statefulset="$2"
+    shift
+    shift
+    ;;
+    -an|--autorecovery-namespace)
+    autorecovery_namespace="$2"
+    shift
+    shift
+    ;;
+    -ap|--autorecovery-pod)
+    autorecovery_pod="$2"
+    shift
+    shift
+    ;;
+    -h|--help)
+    usage
+    exit 0
+    ;;
+    *)
+    echo "unknown option: $key"
+    usage
+    exit 1
+    ;;
+esac
+done
+
+namespace=${namespace:-pulsar}
+replicas=${replicas:-3}
+statefulset=${statefulset:-dev}
+autorecovery_namespace=${autorecovery_namespace:-pulsar}
+autorecovery_pod=${autorecovery_pod:-autorecovery}
+
+for ((i=replicas; i>=1; i--))
+do
+    j=$((i-1))
+    echo /pulsar/kubectl -n ${namespace} scale --replicas=${j} sts/${statefulset}
+    /pulsar/kubectl -n ${namespace} scale --replicas=${j} sts/${statefulset}
+    echo /pulsar/kubectl -n ${autorecovery_namespace} exec -it ${autorecovery_pod} -- bin/bookkeeper shell decommissionbookie -bookieid ${statefulset}-${j}.${statefulset}.${namespace}.svc.cluster.local:3181
+    /pulsar/kubectl -n ${autorecovery_namespace} exec -it ${autorecovery_pod} -- bin/bookkeeper shell decommissionbookie -bookieid ${statefulset}-${j}.${statefulset}.${namespace}.svc.cluster.local:3181
+done
diff --git a/charts/sn-platform-slim/conf/toolset/pulsar/generate_token.sh b/charts/sn-platform-slim/conf/toolset/pulsar/generate_token.sh
new file mode 100755
index 000000000..7dd1b656e
--- /dev/null
+++ b/charts/sn-platform-slim/conf/toolset/pulsar/generate_token.sh
@@ -0,0 +1,125 @@
+#!/usr/bin/env bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+set -e
+
+CHART_HOME=$(unset CDPATH && cd $(dirname "${BASH_SOURCE[0]}")/../.. && pwd)
+cd ${CHART_HOME}
+
+usage() {
+    cat <<EOF
+This script is used to generate token for a given pulsar role.
+Options:
+       -h,--help                        prints the usage message
+       -n,--namespace                   the k8s namespace to install the pulsar helm chart
+       -k,--release                     the pulsar helm release name
+       -r,--role                        the pulsar role
+       -s,--symmetric                   use symmetric secret key for generating the token. If not provided, the private key of an asymmetric pair of keys is used.
+Usage:
+    $0 --namespace pulsar --release pulsar-dev -c <pulsar-role>
+EOF
+}
+
+symmetric=false
+
+while [[ $# -gt 0 ]]
+do
+key="$1"
+
+case $key in
+    -n|--namespace)
+    namespace="$2"
+    shift
+    shift
+    ;;
+    -k|--release)
+    release="$2"
+    shift
+    shift
+    ;;
+    -r|--role)
+    role="$2"
+    shift
+    shift
+    ;;
+    -s|--symmetric)
+    symmetric=true
+    shift
+    ;;
+    -h|--help)
+    usage
+    exit 0
+    ;;
+    *)
+    echo "unknown option: $key"
+    usage
+    exit 1
+    ;;
+esac
+done
+
+if [[ "x${role}" == "x" ]]; then
+    echo "No pulsar role is provided!"
+    usage
+    exit 1
+fi
+
+source ${CHART_HOME}/scripts/pulsar/common_auth.sh
+
+# pulsar::ensure_pulsarctl
+
+namespace=${namespace:-pulsar}
+release=${release:-pulsar-dev}
+
+function pulsar::jwt::generate_symmetric_token() {
+    local token_name="${release}-token-${role}"
+    local secret_name="${release}-token-symmetric-key"
+
+    tmpfile=$(mktemp)
+    trap "test -f $tmpfile && rm $tmpfile" RETURN
+    tokentmpfile=$(mktemp)
+    trap "test -f $tokentmpfile && rm $tokentmpfile" RETURN
+    /pulsar/kubectl get -n ${namespace} secrets ${secret_name} -o jsonpath="{.data['SECRETKEY']}" | base64 --decode > ${tmpfile}
+    ${PULSARCTL_BIN} token create -a HS256 --secret-key-file ${tmpfile} --subject ${role} 2&> ${tokentmpfile}
+    newtokentmpfile=$(mktemp)
+    tr -d '\n' < ${tokentmpfile} > ${newtokentmpfile}
+    /pulsar/kubectl create secret generic ${token_name} -n ${namespace} --from-file="TOKEN=${newtokentmpfile}" --from-literal="TYPE=symmetric"
+}
+
+function pulsar::jwt::generate_asymmetric_token() {
+    local token_name="${release}-token-${role}"
+    local secret_name="${release}-token-asymmetric-key"
+
+    privatekeytmpfile=$(mktemp)
+    trap "test -f $privatekeytmpfile && rm $privatekeytmpfile" RETURN
+    tokentmpfile=$(mktemp)
+    trap "test -f $tokentmpfile && rm $tokentmpfile" RETURN
+    /pulsar/kubectl get -n ${namespace} secrets ${secret_name} -o jsonpath="{.data['PRIVATEKEY']}" | base64 --decode > ${privatekeytmpfile}
+    ${PULSARCTL_BIN} token create -a RS256 --private-key-file ${privatekeytmpfile} --subject ${role} 2&> ${tokentmpfile}
+    newtokentmpfile=$(mktemp)
+    tr -d '\n' < ${tokentmpfile} > ${newtokentmpfile}
+    /pulsar/kubectl create secret generic ${token_name} -n ${namespace} --from-file="TOKEN=${newtokentmpfile}" --from-literal="TYPE=asymmetric"
+}
+
+if [[ "${symmetric}" == "true" ]]; then
+    pulsar::jwt::generate_symmetric_token
+else
+    pulsar::jwt::generate_asymmetric_token
+fi
diff --git a/charts/sn-platform-slim/conf/toolset/pulsar/generate_token_secret_key.sh b/charts/sn-platform-slim/conf/toolset/pulsar/generate_token_secret_key.sh
new file mode 100755
index 000000000..f5c9f28a3
--- /dev/null
+++ b/charts/sn-platform-slim/conf/toolset/pulsar/generate_token_secret_key.sh
@@ -0,0 +1,109 @@
+#!/usr/bin/env bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+set -e
+
+CHART_HOME=$(unset CDPATH && cd $(dirname "${BASH_SOURCE[0]}")/../.. && pwd)
+cd ${CHART_HOME}
+
+usage() {
+    cat <<EOF
+This script is used to generate token secret key for a given pulsar helm release.
+Options:
+       -h,--help                        prints the usage message
+       -n,--namespace                   the k8s namespace to install the pulsar helm chart
+       -k,--release                     the pulsar helm release name
+       -s,--symmetric                   generate symmetric secret key. If not provided, an asymmetric pair of keys are generated.
+Usage:
+    $0 --namespace pulsar --release pulsar-dev
+EOF
+}
+
+symmetric=false
+
+while [[ $# -gt 0 ]]
+do
+key="$1"
+
+case $key in
+    -n|--namespace)
+    namespace="$2"
+    shift
+    shift
+    ;;
+    -k|--release)
+    release="$2"
+    shift
+    shift
+    ;;
+    -s|--symmetric)
+    symmetric=true
+    shift
+    ;;
+    -h|--help)
+    usage
+    exit 0
+    ;;
+    *)
+    echo "unknown option: $key"
+    usage
+    exit 1
+    ;;
+esac
+done
+
+source ${CHART_HOME}/scripts/pulsar/common_auth.sh
+
+# pulsar::ensure_pulsarctl
+
+namespace=${namespace:-pulsar}
+release=${release:-pulsar-dev}
+
+function pulsar::jwt::generate_symmetric_key() {
+    local secret_name="${release}-token-symmetric-key"
+
+    tmpfile=$(mktemp)
+    trap "test -f $tmpfile && rm $tmpfile" RETURN
+    ${PULSARCTL_BIN} token create-secret-key --output-file ${tmpfile}
+    mv $tmpfile SECRETKEY
+    /pulsar/kubectl create secret generic ${secret_name} -n ${namespace} --from-file=SECRETKEY
+    rm SECRETKEY
+}
+
+function pulsar::jwt::generate_asymmetric_key() {
+    local secret_name="${release}-token-asymmetric-key"
+
+    privatekeytmpfile=$(mktemp)
+    trap "test -f $privatekeytmpfile && rm $privatekeytmpfile" RETURN
+    publickeytmpfile=$(mktemp)
+    trap "test -f $publickeytmpfile && rm $publickeytmpfile" RETURN
+    ${PULSARCTL_BIN} token create-key-pair -a RS256 --output-private-key ${privatekeytmpfile} --output-public-key ${publickeytmpfile}
+    mv $privatekeytmpfile PRIVATEKEY
+    mv $publickeytmpfile PUBLICKEY
+    /pulsar/kubectl create secret generic ${secret_name} -n ${namespace} --from-file=PRIVATEKEY --from-file=PUBLICKEY
+    rm PRIVATEKEY
+    rm PUBLICKEY
+}
+
+if [[ "${symmetric}" == "true" ]]; then
+    pulsar::jwt::generate_symmetric_key
+else
+    pulsar::jwt::generate_asymmetric_key
+fi
diff --git a/charts/sn-platform-slim/conf/toolset/pulsar/get_token.sh b/charts/sn-platform-slim/conf/toolset/pulsar/get_token.sh
new file mode 100755
index 000000000..38c9272f7
--- /dev/null
+++ b/charts/sn-platform-slim/conf/toolset/pulsar/get_token.sh
@@ -0,0 +1,95 @@
+#!/usr/bin/env bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+set -e
+
+CHART_HOME=$(unset CDPATH && cd $(dirname "${BASH_SOURCE[0]}")/../.. && pwd)
+cd ${CHART_HOME}
+
+usage() {
+    cat <<EOF
+This script is used to retrieve token for a given pulsar role.
+Options:
+       -h,--help                        prints the usage message
+       -n,--namespace                   the k8s namespace to install the pulsar helm chart
+       -k,--release                     the pulsar helm release name
+       -r,--role                        the pulsar role
+Usage:
+    $0 --namespace pulsar --release pulsar-dev -r <pulsar-role>
+EOF
+}
+
+while [[ $# -gt 0 ]]
+do
+key="$1"
+
+case $key in
+    -n|--namespace)
+    namespace="$2"
+    shift
+    shift
+    ;;
+    -k|--release)
+    release="$2"
+    shift
+    shift
+    ;;
+    -r|--role)
+    role="$2"
+    shift
+    shift
+    ;;
+    -h|--help)
+    usage
+    exit 0
+    ;;
+    *)
+    echo "unknown option: $key"
+    usage
+    exit 1
+    ;;
+esac
+done
+
+if [[ "x${role}" == "x" ]]; then
+    echo "No pulsar role is provided!"
+    usage
+    exit 1
+fi
+
+source ${CHART_HOME}/scripts/pulsar/common_auth.sh
+
+# pulsar::ensure_pulsarctl
+
+namespace=${namespace:-pulsar}
+release=${release:-pulsar-dev}
+
+function pulsar::jwt::get_token() {
+    local token_name="${release}-token-${role}"
+
+    local token=$(/pulsar/kubectl get -n ${namespace} secrets ${token_name} -o jsonpath="{.data['TOKEN']}" | base64 --decode)
+    local token_type=$(/pulsar/kubectl get -n ${namespace} secrets ${token_name} -o jsonpath="{.data['TYPE']}" | base64 --decode)
+
+    echo "token type: ${token_type}"
+    echo "-------------------------"
+    echo "${token}"
+}
+
+pulsar::jwt::get_token
diff --git a/charts/sn-platform-slim/conf/toolset/pulsar/gke_bootstrap_script.sh b/charts/sn-platform-slim/conf/toolset/pulsar/gke_bootstrap_script.sh
new file mode 100755
index 000000000..e6f20599a
--- /dev/null
+++ b/charts/sn-platform-slim/conf/toolset/pulsar/gke_bootstrap_script.sh
@@ -0,0 +1,118 @@
+#!/bin/bash
+
+set -e
+
+REGION=${REGION:-"us-east1"}
+ZONE_EXTENSION=${ZONE_EXTENSION:-"b"}
+ZONE=${REGION}-${ZONE_EXTENSION}
+CLUSTER_NAME=${CLUSTER_NAME:-"pulsar-dev"}
+MACHINE_TYPE=${MACHINE_TYPE:-"n1-standard-4"}
+NUM_NODES=${NUM_NODES:-"4"}
+INT_NETWORK=${INT_NETWORK:-"default"}
+PREEMPTIBLE=${PREEMPTIBLE-false}
+EXTRA_CREATE_ARGS=${EXTRA_CREATE_ARGS:-""}
+USE_LOCAL_SSD=${USE_LOCAL_SSD-false}
+LOCAL_SSD_COUNT=${LOCAL_SSD_COUNT:-"4"}
+CONFDIR=${CONFDIR:-"${HOME}/.config/streamnative"}
+
+# MacOS does not support readlink, but it does have perl
+KERNEL_NAME=$(uname -s)
+BINDIR=$(dirname "$0")
+SCRIPTS_DIR=`cd ${BINDIR};pwd`
+
+source ${SCRIPTS_DIR}/common.sh;
+
+function bootstrap(){
+  set -e
+  validate_gke_required_tools;
+
+  # Use the default cluster version for the specified zone if not provided
+  if [ -z "${CLUSTER_VERSION}" ]; then
+    CLUSTER_VERSION=$(gcloud container get-server-config --zone $ZONE --project $PROJECT --format='value(defaultClusterVersion)');
+  fi
+
+  if $PREEMPTIBLE; then
+    EXTRA_CREATE_ARGS="$EXTRA_CREATE_ARGS --preemptible"
+  fi
+  if ${USE_LOCAL_SSD}; then
+    EXTRA_CREATE_ARGS="$EXTRA_CREATE_ARGS --local-ssd-count ${LOCAL_SSD_COUNT}"
+  fi
+
+  gcloud container clusters create $CLUSTER_NAME \
+    --zone $ZONE \
+    --cluster-version $CLUSTER_VERSION \
+    --machine-type $MACHINE_TYPE \
+    --scopes "default","https://www.googleapis.com/auth/ndev.clouddns.readwrite" \
+    --node-version ${CLUSTER_VERSION} \
+    --num-nodes $NUM_NODES \
+    --enable-ip-alias \
+    --network $INT_NETWORK \
+    --project $PROJECT \
+    $EXTRA_CREATE_ARGS;
+
+  mkdir -p ${CONFDIR}/.kube;
+  touch ${CONFDIR}/.kube/config;
+  export KUBECONFIG=${CONFDIR}/.kube/config;
+
+  gcloud container clusters get-credentials $CLUSTER_NAME --zone $ZONE --project $PROJECT;
+
+  echo "Wait for metrics API service"
+  # Helm 2.15 and 3.0 bug https://github.com/helm/helm/issues/6361#issuecomment-550503455
+  /pulsar/kubectl --namespace=kube-system wait --for=condition=Available --timeout=5m apiservices/v1beta1.metrics.k8s.io
+
+  helm repo update
+}
+
+#Deletes everything created during bootstrap
+function cleanup_gke_resources(){
+  validate_gke_required_tools;
+
+  gcloud container clusters delete -q $CLUSTER_NAME --zone $ZONE --project $PROJECT;
+  echo "Deleted $CLUSTER_NAME cluster successfully";
+
+  echo "\033[;33m Warning: Disks, load balancers, DNS records, and other cloud resources created during the helm deployment are not deleted, please delete them manually from the gcp console \033[0m";
+}
+
+gke_help() {
+  cat <<EOF
+Usage: gke_bootstrap_script.sh <command>
+where command is one of:
+    up          Create a GKE cluster
+    down        Delete a GKE cluster
+
+Environment variables:
+    PROJECT             Name of the GCP project. It is not set by default.
+
+    CLUSTER_NAME        Name of the GKE cluster. Defaults to ${CLUSTER_NAME}.
+    CONFDIR             Configuration directory to store kubernetes config. Defaults to ${CONFDIR}
+    INT_NETWORK         The Compute Engine Network that the cluster will connect to. Defaults to the '${INT_NETWORK}' network.
+    LOCAL_SSD_COUNT     The number of local ssd counts. Defaults to ${LOCAL_SSD_COUNT}.
+    MACHINE_TYPE        The type of machine to use for nodes. Defaults to ${MACHINE_TYPE}.
+    NUM_NODES           The number of nodes to be created in each of the cluster's zones. Defaults to ${NUM_NODES}.
+    PREEMPTIBLE         Create nodes using preemptible VM instances in the new cluster. Defaults to ${PREEMPTIBLE}.
+    REGION              Compute region for the cluster. Defaults to ${REGION}.
+    USE_LOCAL_SSD       Flag to create a cluster with local SSDs. Defaults to ${USE_LOCAL_SSD}.
+    ZONE                Compute zone for the cluster. Defaults to ${ZONE}.
+    ZONE_EXTENSION      Compute zone extension for the cluster. Defaults to ${ZONE_EXTENSION}.
+
+    EXTRA_CREATE_ARGS   Extra arguments passed to create command.
+EOF
+}
+
+if [ -z "$1" ]; then
+  gke_help
+  exit 1
+fi
+
+case $1 in
+  up)
+    bootstrap;
+    ;;
+  down)
+    cleanup_gke_resources;
+    ;;
+  *)
+    echo "Unknown command $1";
+    exit 1;
+  ;;
+esac
diff --git a/charts/sn-platform-slim/conf/toolset/pulsar/prepare_helm_release.sh b/charts/sn-platform-slim/conf/toolset/pulsar/prepare_helm_release.sh
new file mode 100755
index 000000000..68e55a300
--- /dev/null
+++ b/charts/sn-platform-slim/conf/toolset/pulsar/prepare_helm_release.sh
@@ -0,0 +1,159 @@
+#!/usr/bin/env bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+CHART_HOME=$(unset CDPATH && cd $(dirname "${BASH_SOURCE[0]}")/../.. && pwd)
+cd ${CHART_HOME}
+
+usage() {
+    cat <<EOF
+This script is used to bootstrap the pulsar namespace before deploying a helm chart. 
+Options:
+       -h,--help                                prints the usage message
+       -n,--namespace                           the k8s namespace to install the pulsar helm chart
+       -k,--release                             the pulsar helm release name
+       -s,--symmetric                           generate symmetric secret key. If not provided, an asymmetric pair of keys are generated.
+       --pulsar-superusers                      the superusers of pulsar cluster. a comma separated list of super users.
+       -c,--create-namespace                    flag to create k8s namespace.
+       --gcs-offloader-service-account-keyfile  the path of key file of GCS offloader service account.
+Usage:
+    $0 --namespace pulsar --release pulsar-release
+EOF
+}
+
+symmetric=false
+create_namespace=false
+gcs_offloader_enabled=false
+
+while [[ $# -gt 0 ]]
+do
+key="$1"
+
+case $key in
+    -n|--namespace)
+    namespace="$2"
+    shift
+    shift
+    ;;
+    -c|--create-namespace)
+    create_namespace=true
+    shift
+    ;;
+    -k|--release)
+    release="$2"
+    shift
+    shift
+    ;;
+    --gcs-offloader-service-account-keyfile)
+    gcs_offloader_service_account_keyfile="$2"
+    gcs_offloader_enabled=true
+    shift
+    shift
+    ;;
+    --pulsar-superusers)
+    pulsar_superusers="$2"
+    shift
+    shift
+    ;;
+    -s|--symmetric)
+    symmetric=true
+    shift
+    ;;
+    -h|--help)
+    usage
+    exit 0
+    ;;
+    *)
+    echo "unknown option: $key"
+    usage
+    exit 1
+    ;;
+esac
+done
+
+namespace=${namespace:-pulsar}
+release=${release:-pulsar-dev}
+gcs_offloader_service_account_keyfile=${gcs_offloader_service_account_keyfile:-"/pulsar/keys/gcs.json"}
+pulsar_superusers=${pulsar_superusers:-"proxy-admin,broker-admin,admin,pulsar-manager-admin"}
+
+function generate_gcs_offloader_service_account_keyfile() {
+    local secret_name="${release}-gcs-offloader-service-account"
+    /pulsar/kubectl create secret generic ${secret_name} -n ${namespace} \
+        --from-file="gcs.json=${gcs_offloader_service_account_keyfile}"
+}
+
+pulsar_superusers=${pulsar_superusers:-"proxy-admin,broker-admin,admin,pulsar-manager-admin"}
+
+function do_create_namespace() {
+    if [[ "${create_namespace}" == "true" ]]; then
+        /pulsar/kubectl create namespace ${namespace}
+    fi
+}
+
+do_create_namespace
+
+if [[ "${gcs_offloader_enabled}" == "true" ]]; then
+    echo "create the credentials for the service account key file (offload data to gcs)"
+    generate_gcs_offloader_service_account_keyfile
+fi
+
+extra_opts=""
+if [[ "${symmetric}" == "true" ]]; then
+  extra_opts="${extra_opts} -s"
+fi
+
+echo "generate the token keys for the pulsar cluster"
+${CHART_HOME}/scripts/pulsar/generate_token_secret_key.sh -n ${namespace} -k ${release} ${extra_opts}
+
+echo "generate the tokens for the super-users: ${pulsar_superusers}"
+
+IFS=', ' read -r -a superusers <<< "$pulsar_superusers"
+for user in "${superusers[@]}"
+do
+    echo "generate the token for $user"
+    ${CHART_HOME}/scripts/pulsar/generate_token.sh -n ${namespace} -k ${release} -r ${user} ${extra_opts} 
+done
+
+echo "-------------------------------------"
+echo
+echo "The jwt token secret keys are generated under:"
+if [[ "${symmetric}" == "true" ]]; then
+    echo "    - '${release}-token-symmetric-key'"
+else
+    echo "    - '${release}-token-asymmetric-key'"
+fi
+echo
+
+echo "The jwt tokens for superusers are generated and stored as below:"
+for user in "${superusers[@]}"
+do
+    echo "    - '${user}':secret('${release}-token-${user}')"
+done
+echo
+
+echo "The credentials of the administrator of Control Center (Grafana & Pulsar Manager)"
+echo "is stored at secret '${release}-admin-secret"
+
+if [[ "${gcs_offloader_enabled}" == "true" ]]; then
+    echo "The credentials of the key file of GCS offloader"
+    echo "is stored at secret '${release}-gcs-offloader-service-account"
+fi
+
+echo
+
diff --git a/charts/sn-platform-slim/conf/toolset/pulsar/setup-clouddns-resolver-service-account.sh b/charts/sn-platform-slim/conf/toolset/pulsar/setup-clouddns-resolver-service-account.sh
new file mode 100755
index 000000000..1c4afed80
--- /dev/null
+++ b/charts/sn-platform-slim/conf/toolset/pulsar/setup-clouddns-resolver-service-account.sh
@@ -0,0 +1,53 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+#!/usr/bin/env bash
+
+set -e
+
+if [ $# -lt 4 ]; then
+    cat <<EOF
+Usage: setup-clouddns-resolver-service-account.sh <google-project-id> <resolver-name> <helm-release-name> <namespace>
+EOF
+    exit 1;
+fi
+
+PROJECT_ID=$1
+RESOLVER_NAME=$2
+HELM_RELEASE=$3
+NAMESPACE=$4
+
+echo "Create a service acccount : ${RESOLVER_NAME}."
+gcloud iam service-accounts create ${RESOLVER_NAME} --display-name "${RESOLVER_NAME}"
+
+echo "Bind service account '${RESOLVER_NAME}' as role 'dns.admin'."
+gcloud projects add-iam-policy-binding $PROJECT_ID \
+   --member serviceAccount:${RESOLVER_NAME}@$PROJECT_ID.iam.gserviceaccount.com \
+   --role roles/dns.admin
+
+echo "Create a key for service account '${RESOLVER_NAME}' as role 'dns.admin'."
+gcloud iam service-accounts keys create ${RESOLVER_NAME}-key.json \
+   --iam-account ${RESOLVER_NAME}@$PROJECT_ID.iam.gserviceaccount.com
+
+echo "Save the service account key as a kubernete secret '${HELM_RELEASE}-${RESOLVER_NAME}-svc-acct' in namespace '${NAMESPACE}'."
+/pulsar/kubectl create secret generic ${HELM_RELEASE}-${RESOLVER_NAME}-svc-acct \
+   --from-file=${RESOLVER_NAME}-key.json -n ${NAMESPACE}
+
+echo "Remove the generated key."
+rm ${RESOLVER_NAME}-key.json
\ No newline at end of file
diff --git a/charts/sn-platform-slim/conf/toolset/pulsar/upload-lets-encrypt-ca.sh b/charts/sn-platform-slim/conf/toolset/pulsar/upload-lets-encrypt-ca.sh
new file mode 100755
index 000000000..d84b9cefb
--- /dev/null
+++ b/charts/sn-platform-slim/conf/toolset/pulsar/upload-lets-encrypt-ca.sh
@@ -0,0 +1,33 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+#!/usr/bin/env bash
+
+BINDIR=`dirname "$0"`
+HELM_HOME=`cd $BINDIR/../..;pwd`
+
+cd $HELM_HOME/hack/pulsar/conf
+
+CA_NAME=lets-encrypt-x3-cross-signed
+PEM="${CA_NAME}.pem"
+
+NAMESPACE=$1
+
+/pulsar/kubectl create secret generic ${CA_NAME}  \
+   --from-file=${PEM} -n ${NAMESPACE}
diff --git a/charts/sn-platform-slim/conf/toolset/pulsar/upload_tls.sh b/charts/sn-platform-slim/conf/toolset/pulsar/upload_tls.sh
new file mode 100755
index 000000000..94b3f764d
--- /dev/null
+++ b/charts/sn-platform-slim/conf/toolset/pulsar/upload_tls.sh
@@ -0,0 +1,135 @@
+#!/usr/bin/env bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+set -e
+
+CHART_HOME=$(unset CDPATH && cd $(dirname "${BASH_SOURCE[0]}")/../.. && pwd)
+cd ${CHART_HOME}
+
+namespace=${namespace:-pulsar}
+release=${release:-pulsar-dev}
+tlsdir=${tlsdir:-"${HOME}/.config/pulsar/security_tool/gen/ca"}
+clientComponents=${clientComponents:-""}
+serverComponents=${serverComponents:-"bookie,broker,proxy,recovery,zookeeper,toolset"}
+
+usage() {
+    cat <<EOF
+This script is used to upload tls for a given pulsar helm deployment.
+The tls certs are generated by using "pulsarctl security-tool".
+Options:
+       -h,--help                        prints the usage message
+       -n,--namespace                   the k8s namespace to install the pulsar helm chart. Defaut to ${namespace}.
+       -k,--release                     the pulsar helm release name. Default to ${release}.
+       -d,--dir                         the dir for storing tls certs. Default to ${tlsdir}.
+       -c,--client-components           the client components of pulsar cluster. a comma separated list of components. Default to ${clientComponents}.
+       -s,--server-components           the server components of pulsar cluster. a comma separated list of components. Default to ${serverComponents}.
+Usage:
+    $0 --namespace pulsar --release pulsar-dev
+EOF
+}
+
+while [[ $# -gt 0 ]]
+do
+key="$1"
+
+case $key in
+    -n|--namespace)
+    namespace="$2"
+    shift
+    shift
+    ;;
+    -k|--release)
+    release="$2"
+    shift
+    shift
+    ;;
+    -d|--dir)
+    tlsdir="$2"
+    shift
+    shift
+    ;;
+    -c|--client-components)
+    clientComponents="$2"
+    shift
+    shift
+    ;;
+    -s|--server-components)
+    serverComponents="$2"
+    shift
+    shift
+    ;;
+    -h|--help)
+    usage
+    exit 0
+    ;;
+    *)
+    echo "unknown option: $key"
+    usage
+    exit 1
+    ;;
+esac
+done
+
+ca_cert_file=${tlsdir}/certs/ca.cert.pem
+
+function upload_ca() {
+    local tls_ca_secret="${release}-ca-tls"
+    /pulsar/kubectl create secret generic ${tls_ca_secret} -n ${namespace} --from-file="ca.crt=${ca_cert_file}"
+}
+
+function upload_server_cert() {
+    local component=$1
+    local server_cert_secret="${release}-tls-${component}"
+    local tls_cert_file="${tlsdir}/servers/${component}/${component}.cert.pem"
+    local tls_key_file="${tlsdir}/servers/${component}/${component}.key-pk8.pem"
+
+    /pulsar/kubectl create secret generic ${server_cert_secret} \
+        -n ${namespace} \
+        --from-file="tls.crt=${tls_cert_file}" \
+        --from-file="tls.key=${tls_key_file}" \
+        --from-file="ca.crt=${ca_cert_file}"
+}
+
+function upload_client_cert() {
+    local component=$1
+    local client_cert_secret="${release}-tls-${component}"
+    local tls_cert_file="${tlsdir}/clients/${component}/${component}.cert.pem"
+    local tls_key_file="${tlsdir}/clients/${component}/${component}.key-pk8.pem"
+
+    /pulsar/kubectl create secret generic ${client_cert_secret} \
+        -n ${namespace} \
+        --from-file="tls.crt=${tls_cert_file}" \
+        --from-file="tls.key=${tls_key_file}" \
+        --from-file="ca.crt=${ca_cert_file}"
+}
+
+upload_ca
+
+IFS=', ' read -r -a server_components <<< "$serverComponents"
+for component in "${server_components[@]}"
+do
+    upload_server_cert ${component}
+done
+
+IFS=', ' read -r -a client_components <<< "$clientComponents"
+for component in "${client_components[@]}"
+do
+    upload_client_cert ${component}
+done
diff --git a/charts/sn-platform-slim/templates/toolset/jwt-secret-init-config.yaml b/charts/sn-platform-slim/templates/toolset/jwt-secret-init-config.yaml
new file mode 100644
index 000000000..90335263c
--- /dev/null
+++ b/charts/sn-platform-slim/templates/toolset/jwt-secret-init-config.yaml
@@ -0,0 +1,31 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+{{- if and .Values.initialize .Values.auth.authentication.enabled .Values.auth.authentication.jwt.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: "{{ template "pulsar.fullname" . }}-jwt-secret-init-config"
+  namespace: {{ template "pulsar.namespace" . }}
+  labels:
+    {{- include "pulsar.standardLabels" . | nindent 4 }}
+    component: {{ .Values.toolset.component }}
+data:
+{{ (.Files.Glob "conf/toolset/pulsar/*").AsConfig | indent 2 }}
+{{ end }}
\ No newline at end of file
diff --git a/charts/sn-platform-slim/templates/toolset/jwt-secret-init-job-service-account.yaml b/charts/sn-platform-slim/templates/toolset/jwt-secret-init-job-service-account.yaml
new file mode 100644
index 000000000..3648aedc5
--- /dev/null
+++ b/charts/sn-platform-slim/templates/toolset/jwt-secret-init-job-service-account.yaml
@@ -0,0 +1,57 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+{{- if and .Values.initialize .Values.auth.authentication.enabled .Values.auth.authentication.jwt.enabled }}
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: {{ template "pulsar.fullname" . }}-jwt-secret-init-acct
+  namespace: {{ template "pulsar.namespace" . }}
+  labels:
+    {{- include "pulsar.standardLabels" . | nindent 4 }}
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "pulsar.fullname" . }}-jwt-secret-init-acct-role
+  namespace: {{ template "pulsar.namespace" . }}
+  labels:
+    {{- include "pulsar.standardLabels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["*"]
+---
+
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "pulsar.fullname" . }}-jwt-secret-init-acct-rolebinding
+  namespace: {{ template "pulsar.namespace" . }}
+  labels:
+    {{- include "pulsar.standardLabels" . | nindent 4 }}
+roleRef:
+  kind: Role
+  name: {{ template "pulsar.fullname" . }}-jwt-secret-init-acct-role
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "pulsar.fullname" . }}-jwt-secret-init-acct
+    namespace: {{ template "pulsar.namespace" . }}
+
+{{- end }}
diff --git a/charts/sn-platform-slim/templates/toolset/jwt-secret-init-job.yaml b/charts/sn-platform-slim/templates/toolset/jwt-secret-init-job.yaml
new file mode 100644
index 000000000..90fc48a57
--- /dev/null
+++ b/charts/sn-platform-slim/templates/toolset/jwt-secret-init-job.yaml
@@ -0,0 +1,82 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+{{- if and .Values.initialize .Values.auth.authentication.enabled .Values.auth.authentication.jwt.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: "{{ template "pulsar.fullname" . }}-jwt-secret-init-{{ lower (randAlphaNum 6) }}"
+  namespace: {{ template "pulsar.namespace" . }}
+  labels:
+    {{- include "pulsar.standardLabels" . | nindent 4 }}
+{{- with .Values.toolset.labels }}
+{{ toYaml . | indent 4 }}
+{{- end }}
+  annotations:
+{{- with .Values.toolset.annotations }}
+{{ toYaml . | indent 4 }}
+{{- end }}
+spec:
+  template:
+    metadata:
+      labels:
+        {{- include "pulsar.template.labels" . | nindent 8 }}
+{{- if .Values.toolset.labels }}    
+{{ toYaml .Values.toolset.labels | indent 8 }}
+{{- end }}
+      annotations:
+{{- if .Values.toolset.annotations }}    
+{{ toYaml .Values.toolset.annotations | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ template "pulsar.fullname" . }}-jwt-secret-init-acct
+      volumes:
+      - name: {{ template "pulsar.fullname" . }}-jwt-secret-init-config
+        configMap:
+          name: {{ template "pulsar.fullname" . }}-jwt-secret-init-config
+      containers:
+      - name: "{{ template "pulsar.fullname" . }}-jwt-secret-init"
+        image: "{{ .Values.images.toolset.repository }}:{{ .Values.images.toolset.tag }}"
+        imagePullPolicy: {{ .Values.images.toolset.pullPolicy }}
+        command: ["bash", "-c"]
+        args:
+          - >
+            curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl";
+            chmod +x /pulsar/kubectl;
+            mkdir -p scripts/pulsar;
+            cp scripts/jwt-secret-config/* scripts/pulsar;
+            chmod +x scripts/pulsar/*;
+            usingSecretKey={{ .Values.auth.authentication.jwt.usingSecretKey }};
+            if [ "${usingSecretKey}" = "true" ]; then
+              ./scripts/pulsar/prepare_helm_release.sh -n {{ template "pulsar.namespace" . }} -k {{ .Release.Name }} --symmetric;
+            else 
+              ./scripts/pulsar/prepare_helm_release.sh -n {{ template "pulsar.namespace" . }} -k {{ .Release.Name }};
+            fi;
+      {{- if .Values.toolset.resources }}
+        resources:
+{{ toYaml .Values.toolset.resources | indent 10 }}
+      {{- end }}
+        volumeMounts:
+        - mountPath: /pulsar/scripts/jwt-secret-config
+          name: {{ template "pulsar.fullname" . }}-jwt-secret-init-config
+      restartPolicy: Never
+      {{- if .Values.toolset.securityContext }}
+      securityContext: {{- toYaml .Values.toolset.securityContext | nindent 8 }}
+      {{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/sn-platform/conf/toolset/pulsar/clean_tls.sh b/charts/sn-platform/conf/toolset/pulsar/clean_tls.sh
new file mode 100755
index 000000000..884cc383e
--- /dev/null
+++ b/charts/sn-platform/conf/toolset/pulsar/clean_tls.sh
@@ -0,0 +1,115 @@
+#!/usr/bin/env bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+set -e
+
+CHART_HOME=$(unset CDPATH && cd $(dirname "${BASH_SOURCE[0]}")/../.. && pwd)
+cd ${CHART_HOME}
+
+namespace=${namespace:-pulsar}
+release=${release:-pulsar-dev}
+clientComponents=${clientComponents:-"toolset"}
+serverComponents=${serverComponents:-"bookie,broker,proxy,recovery,zookeeper"}
+
+usage() {
+    cat <<EOF
+This script is used to delete tls certs for a given pulsar helm deployment generated by "upload_tls.sh".
+Options:
+       -h,--help                        prints the usage message
+       -n,--namespace                   the k8s namespace to install the pulsar helm chart. Defaut to ${namespace}.
+       -k,--release                     the pulsar helm release name. Default to ${release}.
+       -c,--client-components           the client components of pulsar cluster. a comma separated list of components. Default to ${clientComponents}.
+       -s,--server-components           the server components of pulsar cluster. a comma separated list of components. Default to ${serverComponents}.
+Usage:
+    $0 --namespace pulsar --release pulsar-dev
+EOF
+}
+
+while [[ $# -gt 0 ]]
+do
+key="$1"
+
+case $key in
+    -n|--namespace)
+    namespace="$2"
+    shift
+    shift
+    ;;
+    -k|--release)
+    release="$2"
+    shift
+    shift
+    ;;
+    -c|--client-components)
+    clientComponents="$2"
+    shift
+    shift
+    ;;
+    -s|--server-components)
+    serverComponents="$2"
+    shift
+    shift
+    ;;
+    -h|--help)
+    usage
+    exit 0
+    ;;
+    *)
+    echo "unknown option: $key"
+    usage
+    exit 1
+    ;;
+esac
+done
+
+function delete_ca() {
+    local tls_ca_secret="${release}-ca-tls"
+    /pulsar/kubectl delete secret ${tls_ca_secret} -n ${namespace}
+}
+
+function delete_server_cert() {
+    local component=$1
+    local server_cert_secret="${release}-tls-${component}"
+
+    /pulsar/kubectl delete secret ${server_cert_secret} \
+        -n ${namespace}
+}
+
+function delete_client_cert() {
+    local component=$1
+    local client_cert_secret="${release}-tls-${component}"
+
+    /pulsar/kubectl delete secret ${client_cert_secret} \
+        -n ${namespace}
+}
+
+delete_ca
+
+IFS=', ' read -r -a server_components <<< "$serverComponents"
+for component in "${server_components[@]}"
+do
+    delete_server_cert ${component}
+done
+
+IFS=', ' read -r -a client_components <<< "$clientComponents"
+for component in "${client_components[@]}"
+do
+    delete_client_cert ${component}
+done
diff --git a/charts/sn-platform/conf/toolset/pulsar/cleanup_helm_release.sh b/charts/sn-platform/conf/toolset/pulsar/cleanup_helm_release.sh
new file mode 100755
index 000000000..76f7573ca
--- /dev/null
+++ b/charts/sn-platform/conf/toolset/pulsar/cleanup_helm_release.sh
@@ -0,0 +1,87 @@
+#!/usr/bin/env bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+CHART_HOME=$(unset CDPATH && cd $(dirname "${BASH_SOURCE[0]}")/../.. && pwd)
+cd ${CHART_HOME}
+
+usage() {
+    cat <<EOF
+This script is used to cleanup the credentials for a given pulsar helm release. 
+Options:
+       -h,--help                        prints the usage message
+       -n,--namespace                   the k8s namespace to install the pulsar helm chart
+       -k,--release                     the pulsar helm release name
+       -d,--delete-namespace            flag to delete k8s namespace.
+Usage:
+    $0 --namespace pulsar --release pulsar-release
+EOF
+}
+
+
+while [[ $# -gt 0 ]]
+do
+key="$1"
+
+delete_namespace=false
+
+case $key in
+    -n|--namespace)
+    namespace="$2"
+    shift
+    shift
+    ;;
+    -d|--delete-namespace)
+    delete_namespace=true
+    shift
+    ;;
+    -k|--release)
+    release="$2"
+    shift
+    shift
+    ;;
+    -h|--help)
+    usage
+    exit 0
+    ;;
+    *)
+    echo "unknown option: $key"
+    usage
+    exit 1
+    ;;
+esac
+done
+
+namespace=${namespace:-pulsar}
+release=${release:-pulsar-dev}
+
+function delete_namespace() {
+    if [[ "${delete_namespace}" == "true" ]]; then
+        /pulsar/kubectl delete namespace ${namespace}
+    fi
+}
+
+# delete the cc admin secrets
+/pulsar/kubectl delete -n ${namespace} secret ${release}-admin-secret
+
+# delete tokens
+/pulsar/kubectl get secrets -n ${namespace} | grep ${release}-token- | awk '{print $1}' | xargs /pulsar/kubectl delete secrets -n ${namespace}
+
+# delete namespace
+delete_namespace
diff --git a/charts/sn-platform/conf/toolset/pulsar/common.sh b/charts/sn-platform/conf/toolset/pulsar/common.sh
new file mode 100755
index 000000000..5dd0262b6
--- /dev/null
+++ b/charts/sn-platform/conf/toolset/pulsar/common.sh
@@ -0,0 +1,54 @@
+#!/bin/bash
+
+# Checks that appropriate gke params are set and
+# that gcloud and kubectl are properly installed and authenticated
+
+function need_tool(){
+  local tool="${1}"
+  local url="${2}"
+
+  echo >&2 "${tool} is required. Please follow ${url}"
+  exit 1
+}
+
+function need_gcloud(){
+  need_tool "gcloud" "https://cloud.google.com/sdk/downloads"
+}
+
+function need_kubectl(){
+  need_tool "kubectl" "https://kubernetes.io/docs/tasks/tools/install-kubectl"
+}
+
+function need_helm(){
+  need_tool "helm" "https://github.com/helm/helm/#install"
+}
+
+function need_eksctl(){
+  need_tool "eksctl" "https://eksctl.io"
+}
+
+function validate_gke_required_tools(){
+  if [ -z "$PROJECT" ]; then
+    echo "\$PROJECT needs to be set to your project id";
+    exit 1;
+  fi
+
+  for comm in gcloud kubectl helm
+  do
+    command  -v "${comm}" > /dev/null 2>&1 || "need_${comm}"
+  done
+
+  gcloud container clusters list --project $PROJECT >/dev/null 2>&1 || { echo >&2 "Gcloud seems to be configured incorrectly or authentication is unsuccessfull"; exit 1; }
+
+}
+
+function cluster_admin_password_gke(){
+  gcloud container clusters describe $CLUSTER_NAME --zone $ZONE --project $PROJECT --format='value(masterAuth.password)';
+}
+
+function validate_eks_required_tools(){
+  for comm in eksctl kubectl helm
+  do
+    command -v "${comm}" > /dev/null 2>&1 || "need_${comm}"
+  done
+}
diff --git a/charts/sn-platform/conf/toolset/pulsar/common_auth.sh b/charts/sn-platform/conf/toolset/pulsar/common_auth.sh
new file mode 100755
index 000000000..ede8c86eb
--- /dev/null
+++ b/charts/sn-platform/conf/toolset/pulsar/common_auth.sh
@@ -0,0 +1,66 @@
+#!/usr/bin/env bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+if [ -z "$CHART_HOME" ]; then
+    echo "error: CHART_HOME should be initialized"
+    exit 1
+fi
+
+OUTPUT=${CHART_HOME}/output
+OUTPUT_BIN=${OUTPUT}/bin
+PULSARCTL_VERSION=v2.10.2.2
+PULSARCTL_BIN=/pulsar/bin/pulsarctl
+export PATH=${HOME}/.pulsarctl/plugins:${PATH}
+
+discoverArch() {
+  ARCH=$(uname -m)
+  case $ARCH in
+    x86) ARCH="386";;
+    x86_64) ARCH="amd64";;
+    i686) ARCH="386";;
+    i386) ARCH="386";;
+  esac
+}
+
+discoverArch
+OS=$(echo `uname`|tr '[:upper:]' '[:lower:]')
+
+test -d "$OUTPUT_BIN" || mkdir -p "$OUTPUT_BIN"
+
+function pulsar::verify_pulsarctl() {
+    if test -x "$PULSARCTL_BIN"; then
+        return
+    fi
+    return 1
+}
+
+function pulsar::ensure_pulsarctl() {
+    if pulsar::verify_pulsarctl; then
+        return 0
+    fi
+    echo "Get pulsarctl install.sh script ..."
+    install_script=$(mktemp)
+    trap "test -f $install_script && rm $install_script" RETURN
+    curl --retry 10 -L -o $install_script https://raw.githubusercontent.com/streamnative/pulsarctl/master/install.sh
+    chmod +x $install_script
+    $install_script --user --version ${PULSARCTL_VERSION}
+}
+
+
diff --git a/charts/sn-platform/conf/toolset/pulsar/decommission_bookies.sh b/charts/sn-platform/conf/toolset/pulsar/decommission_bookies.sh
new file mode 100755
index 000000000..55e2823f7
--- /dev/null
+++ b/charts/sn-platform/conf/toolset/pulsar/decommission_bookies.sh
@@ -0,0 +1,96 @@
+#!/usr/bin/env bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+set -e
+
+CHART_HOME=$(unset CDPATH && cd $(dirname "${BASH_SOURCE[0]}")/../.. && pwd)
+cd ${CHART_HOME}
+
+usage() {
+    cat <<EOF
+This script is used to decommission a bookkeeper cluster.
+Options:
+       -h,--help                                prints the usage message
+       -n,--namespace                           the k8s namespace to run the bookkeeper cluster
+       -r,--replicas                            the number of bookies of the bookkeeper cluster
+       -s,--statefulset                         the name of the bookkeeper statefulset
+       -an,--autorecovery-namespace             the k8s namespace to run the bookkeeper autorecovery
+       -ap,--autorecovery-pod                   the pod name of the bookkeeper autorecovery pod
+Usage:
+    $0 -n old -r 3 -s old-cluster -an new -ap new-bookie-autorecovery
+EOF
+}
+
+while [[ $# -gt 0 ]]
+do
+key="$1"
+
+case $key in
+    -n|--namespace)
+    namespace="$2"
+    shift
+    shift
+    ;;
+    -r|--replicas)
+    replicas="$2"
+    shift
+    shift
+    ;;
+    -s|--statefulset)
+    statefulset="$2"
+    shift
+    shift
+    ;;
+    -an|--autorecovery-namespace)
+    autorecovery_namespace="$2"
+    shift
+    shift
+    ;;
+    -ap|--autorecovery-pod)
+    autorecovery_pod="$2"
+    shift
+    shift
+    ;;
+    -h|--help)
+    usage
+    exit 0
+    ;;
+    *)
+    echo "unknown option: $key"
+    usage
+    exit 1
+    ;;
+esac
+done
+
+namespace=${namespace:-pulsar}
+replicas=${replicas:-3}
+statefulset=${statefulset:-dev}
+autorecovery_namespace=${autorecovery_namespace:-pulsar}
+autorecovery_pod=${autorecovery_pod:-autorecovery}
+
+for ((i=replicas; i>=1; i--))
+do
+    j=$((i-1))
+    echo /pulsar/kubectl -n ${namespace} scale --replicas=${j} sts/${statefulset}
+    /pulsar/kubectl -n ${namespace} scale --replicas=${j} sts/${statefulset}
+    echo /pulsar/kubectl -n ${autorecovery_namespace} exec -it ${autorecovery_pod} -- bin/bookkeeper shell decommissionbookie -bookieid ${statefulset}-${j}.${statefulset}.${namespace}.svc.cluster.local:3181
+    /pulsar/kubectl -n ${autorecovery_namespace} exec -it ${autorecovery_pod} -- bin/bookkeeper shell decommissionbookie -bookieid ${statefulset}-${j}.${statefulset}.${namespace}.svc.cluster.local:3181
+done
diff --git a/charts/sn-platform/conf/toolset/pulsar/generate_token.sh b/charts/sn-platform/conf/toolset/pulsar/generate_token.sh
new file mode 100755
index 000000000..7dd1b656e
--- /dev/null
+++ b/charts/sn-platform/conf/toolset/pulsar/generate_token.sh
@@ -0,0 +1,125 @@
+#!/usr/bin/env bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+set -e
+
+CHART_HOME=$(unset CDPATH && cd $(dirname "${BASH_SOURCE[0]}")/../.. && pwd)
+cd ${CHART_HOME}
+
+usage() {
+    cat <<EOF
+This script is used to generate token for a given pulsar role.
+Options:
+       -h,--help                        prints the usage message
+       -n,--namespace                   the k8s namespace to install the pulsar helm chart
+       -k,--release                     the pulsar helm release name
+       -r,--role                        the pulsar role
+       -s,--symmetric                   use symmetric secret key for generating the token. If not provided, the private key of an asymmetric pair of keys is used.
+Usage:
+    $0 --namespace pulsar --release pulsar-dev -c <pulsar-role>
+EOF
+}
+
+symmetric=false
+
+while [[ $# -gt 0 ]]
+do
+key="$1"
+
+case $key in
+    -n|--namespace)
+    namespace="$2"
+    shift
+    shift
+    ;;
+    -k|--release)
+    release="$2"
+    shift
+    shift
+    ;;
+    -r|--role)
+    role="$2"
+    shift
+    shift
+    ;;
+    -s|--symmetric)
+    symmetric=true
+    shift
+    ;;
+    -h|--help)
+    usage
+    exit 0
+    ;;
+    *)
+    echo "unknown option: $key"
+    usage
+    exit 1
+    ;;
+esac
+done
+
+if [[ "x${role}" == "x" ]]; then
+    echo "No pulsar role is provided!"
+    usage
+    exit 1
+fi
+
+source ${CHART_HOME}/scripts/pulsar/common_auth.sh
+
+# pulsar::ensure_pulsarctl
+
+namespace=${namespace:-pulsar}
+release=${release:-pulsar-dev}
+
+function pulsar::jwt::generate_symmetric_token() {
+    local token_name="${release}-token-${role}"
+    local secret_name="${release}-token-symmetric-key"
+
+    tmpfile=$(mktemp)
+    trap "test -f $tmpfile && rm $tmpfile" RETURN
+    tokentmpfile=$(mktemp)
+    trap "test -f $tokentmpfile && rm $tokentmpfile" RETURN
+    /pulsar/kubectl get -n ${namespace} secrets ${secret_name} -o jsonpath="{.data['SECRETKEY']}" | base64 --decode > ${tmpfile}
+    ${PULSARCTL_BIN} token create -a HS256 --secret-key-file ${tmpfile} --subject ${role} 2&> ${tokentmpfile}
+    newtokentmpfile=$(mktemp)
+    tr -d '\n' < ${tokentmpfile} > ${newtokentmpfile}
+    /pulsar/kubectl create secret generic ${token_name} -n ${namespace} --from-file="TOKEN=${newtokentmpfile}" --from-literal="TYPE=symmetric"
+}
+
+function pulsar::jwt::generate_asymmetric_token() {
+    local token_name="${release}-token-${role}"
+    local secret_name="${release}-token-asymmetric-key"
+
+    privatekeytmpfile=$(mktemp)
+    trap "test -f $privatekeytmpfile && rm $privatekeytmpfile" RETURN
+    tokentmpfile=$(mktemp)
+    trap "test -f $tokentmpfile && rm $tokentmpfile" RETURN
+    /pulsar/kubectl get -n ${namespace} secrets ${secret_name} -o jsonpath="{.data['PRIVATEKEY']}" | base64 --decode > ${privatekeytmpfile}
+    ${PULSARCTL_BIN} token create -a RS256 --private-key-file ${privatekeytmpfile} --subject ${role} 2&> ${tokentmpfile}
+    newtokentmpfile=$(mktemp)
+    tr -d '\n' < ${tokentmpfile} > ${newtokentmpfile}
+    /pulsar/kubectl create secret generic ${token_name} -n ${namespace} --from-file="TOKEN=${newtokentmpfile}" --from-literal="TYPE=asymmetric"
+}
+
+if [[ "${symmetric}" == "true" ]]; then
+    pulsar::jwt::generate_symmetric_token
+else
+    pulsar::jwt::generate_asymmetric_token
+fi
diff --git a/charts/sn-platform/conf/toolset/pulsar/generate_token_secret_key.sh b/charts/sn-platform/conf/toolset/pulsar/generate_token_secret_key.sh
new file mode 100755
index 000000000..f5c9f28a3
--- /dev/null
+++ b/charts/sn-platform/conf/toolset/pulsar/generate_token_secret_key.sh
@@ -0,0 +1,109 @@
+#!/usr/bin/env bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+set -e
+
+CHART_HOME=$(unset CDPATH && cd $(dirname "${BASH_SOURCE[0]}")/../.. && pwd)
+cd ${CHART_HOME}
+
+usage() {
+    cat <<EOF
+This script is used to generate token secret key for a given pulsar helm release.
+Options:
+       -h,--help                        prints the usage message
+       -n,--namespace                   the k8s namespace to install the pulsar helm chart
+       -k,--release                     the pulsar helm release name
+       -s,--symmetric                   generate symmetric secret key. If not provided, an asymmetric pair of keys are generated.
+Usage:
+    $0 --namespace pulsar --release pulsar-dev
+EOF
+}
+
+symmetric=false
+
+while [[ $# -gt 0 ]]
+do
+key="$1"
+
+case $key in
+    -n|--namespace)
+    namespace="$2"
+    shift
+    shift
+    ;;
+    -k|--release)
+    release="$2"
+    shift
+    shift
+    ;;
+    -s|--symmetric)
+    symmetric=true
+    shift
+    ;;
+    -h|--help)
+    usage
+    exit 0
+    ;;
+    *)
+    echo "unknown option: $key"
+    usage
+    exit 1
+    ;;
+esac
+done
+
+source ${CHART_HOME}/scripts/pulsar/common_auth.sh
+
+# pulsar::ensure_pulsarctl
+
+namespace=${namespace:-pulsar}
+release=${release:-pulsar-dev}
+
+function pulsar::jwt::generate_symmetric_key() {
+    local secret_name="${release}-token-symmetric-key"
+
+    tmpfile=$(mktemp)
+    trap "test -f $tmpfile && rm $tmpfile" RETURN
+    ${PULSARCTL_BIN} token create-secret-key --output-file ${tmpfile}
+    mv $tmpfile SECRETKEY
+    /pulsar/kubectl create secret generic ${secret_name} -n ${namespace} --from-file=SECRETKEY
+    rm SECRETKEY
+}
+
+function pulsar::jwt::generate_asymmetric_key() {
+    local secret_name="${release}-token-asymmetric-key"
+
+    privatekeytmpfile=$(mktemp)
+    trap "test -f $privatekeytmpfile && rm $privatekeytmpfile" RETURN
+    publickeytmpfile=$(mktemp)
+    trap "test -f $publickeytmpfile && rm $publickeytmpfile" RETURN
+    ${PULSARCTL_BIN} token create-key-pair -a RS256 --output-private-key ${privatekeytmpfile} --output-public-key ${publickeytmpfile}
+    mv $privatekeytmpfile PRIVATEKEY
+    mv $publickeytmpfile PUBLICKEY
+    /pulsar/kubectl create secret generic ${secret_name} -n ${namespace} --from-file=PRIVATEKEY --from-file=PUBLICKEY
+    rm PRIVATEKEY
+    rm PUBLICKEY
+}
+
+if [[ "${symmetric}" == "true" ]]; then
+    pulsar::jwt::generate_symmetric_key
+else
+    pulsar::jwt::generate_asymmetric_key
+fi
diff --git a/charts/sn-platform/conf/toolset/pulsar/get_token.sh b/charts/sn-platform/conf/toolset/pulsar/get_token.sh
new file mode 100755
index 000000000..38c9272f7
--- /dev/null
+++ b/charts/sn-platform/conf/toolset/pulsar/get_token.sh
@@ -0,0 +1,95 @@
+#!/usr/bin/env bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+set -e
+
+CHART_HOME=$(unset CDPATH && cd $(dirname "${BASH_SOURCE[0]}")/../.. && pwd)
+cd ${CHART_HOME}
+
+usage() {
+    cat <<EOF
+This script is used to retrieve token for a given pulsar role.
+Options:
+       -h,--help                        prints the usage message
+       -n,--namespace                   the k8s namespace to install the pulsar helm chart
+       -k,--release                     the pulsar helm release name
+       -r,--role                        the pulsar role
+Usage:
+    $0 --namespace pulsar --release pulsar-dev -r <pulsar-role>
+EOF
+}
+
+while [[ $# -gt 0 ]]
+do
+key="$1"
+
+case $key in
+    -n|--namespace)
+    namespace="$2"
+    shift
+    shift
+    ;;
+    -k|--release)
+    release="$2"
+    shift
+    shift
+    ;;
+    -r|--role)
+    role="$2"
+    shift
+    shift
+    ;;
+    -h|--help)
+    usage
+    exit 0
+    ;;
+    *)
+    echo "unknown option: $key"
+    usage
+    exit 1
+    ;;
+esac
+done
+
+if [[ "x${role}" == "x" ]]; then
+    echo "No pulsar role is provided!"
+    usage
+    exit 1
+fi
+
+source ${CHART_HOME}/scripts/pulsar/common_auth.sh
+
+# pulsar::ensure_pulsarctl
+
+namespace=${namespace:-pulsar}
+release=${release:-pulsar-dev}
+
+function pulsar::jwt::get_token() {
+    local token_name="${release}-token-${role}"
+
+    local token=$(/pulsar/kubectl get -n ${namespace} secrets ${token_name} -o jsonpath="{.data['TOKEN']}" | base64 --decode)
+    local token_type=$(/pulsar/kubectl get -n ${namespace} secrets ${token_name} -o jsonpath="{.data['TYPE']}" | base64 --decode)
+
+    echo "token type: ${token_type}"
+    echo "-------------------------"
+    echo "${token}"
+}
+
+pulsar::jwt::get_token
diff --git a/charts/sn-platform/conf/toolset/pulsar/gke_bootstrap_script.sh b/charts/sn-platform/conf/toolset/pulsar/gke_bootstrap_script.sh
new file mode 100755
index 000000000..e6f20599a
--- /dev/null
+++ b/charts/sn-platform/conf/toolset/pulsar/gke_bootstrap_script.sh
@@ -0,0 +1,118 @@
+#!/bin/bash
+
+set -e
+
+REGION=${REGION:-"us-east1"}
+ZONE_EXTENSION=${ZONE_EXTENSION:-"b"}
+ZONE=${REGION}-${ZONE_EXTENSION}
+CLUSTER_NAME=${CLUSTER_NAME:-"pulsar-dev"}
+MACHINE_TYPE=${MACHINE_TYPE:-"n1-standard-4"}
+NUM_NODES=${NUM_NODES:-"4"}
+INT_NETWORK=${INT_NETWORK:-"default"}
+PREEMPTIBLE=${PREEMPTIBLE-false}
+EXTRA_CREATE_ARGS=${EXTRA_CREATE_ARGS:-""}
+USE_LOCAL_SSD=${USE_LOCAL_SSD-false}
+LOCAL_SSD_COUNT=${LOCAL_SSD_COUNT:-"4"}
+CONFDIR=${CONFDIR:-"${HOME}/.config/streamnative"}
+
+# MacOS does not support readlink, but it does have perl
+KERNEL_NAME=$(uname -s)
+BINDIR=$(dirname "$0")
+SCRIPTS_DIR=`cd ${BINDIR};pwd`
+
+source ${SCRIPTS_DIR}/common.sh;
+
+function bootstrap(){
+  set -e
+  validate_gke_required_tools;
+
+  # Use the default cluster version for the specified zone if not provided
+  if [ -z "${CLUSTER_VERSION}" ]; then
+    CLUSTER_VERSION=$(gcloud container get-server-config --zone $ZONE --project $PROJECT --format='value(defaultClusterVersion)');
+  fi
+
+  if $PREEMPTIBLE; then
+    EXTRA_CREATE_ARGS="$EXTRA_CREATE_ARGS --preemptible"
+  fi
+  if ${USE_LOCAL_SSD}; then
+    EXTRA_CREATE_ARGS="$EXTRA_CREATE_ARGS --local-ssd-count ${LOCAL_SSD_COUNT}"
+  fi
+
+  gcloud container clusters create $CLUSTER_NAME \
+    --zone $ZONE \
+    --cluster-version $CLUSTER_VERSION \
+    --machine-type $MACHINE_TYPE \
+    --scopes "default","https://www.googleapis.com/auth/ndev.clouddns.readwrite" \
+    --node-version ${CLUSTER_VERSION} \
+    --num-nodes $NUM_NODES \
+    --enable-ip-alias \
+    --network $INT_NETWORK \
+    --project $PROJECT \
+    $EXTRA_CREATE_ARGS;
+
+  mkdir -p ${CONFDIR}/.kube;
+  touch ${CONFDIR}/.kube/config;
+  export KUBECONFIG=${CONFDIR}/.kube/config;
+
+  gcloud container clusters get-credentials $CLUSTER_NAME --zone $ZONE --project $PROJECT;
+
+  echo "Wait for metrics API service"
+  # Helm 2.15 and 3.0 bug https://github.com/helm/helm/issues/6361#issuecomment-550503455
+  /pulsar/kubectl --namespace=kube-system wait --for=condition=Available --timeout=5m apiservices/v1beta1.metrics.k8s.io
+
+  helm repo update
+}
+
+#Deletes everything created during bootstrap
+function cleanup_gke_resources(){
+  validate_gke_required_tools;
+
+  gcloud container clusters delete -q $CLUSTER_NAME --zone $ZONE --project $PROJECT;
+  echo "Deleted $CLUSTER_NAME cluster successfully";
+
+  echo "\033[;33m Warning: Disks, load balancers, DNS records, and other cloud resources created during the helm deployment are not deleted, please delete them manually from the gcp console \033[0m";
+}
+
+gke_help() {
+  cat <<EOF
+Usage: gke_bootstrap_script.sh <command>
+where command is one of:
+    up          Create a GKE cluster
+    down        Delete a GKE cluster
+
+Environment variables:
+    PROJECT             Name of the GCP project. It is not set by default.
+
+    CLUSTER_NAME        Name of the GKE cluster. Defaults to ${CLUSTER_NAME}.
+    CONFDIR             Configuration directory to store kubernetes config. Defaults to ${CONFDIR}
+    INT_NETWORK         The Compute Engine Network that the cluster will connect to. Defaults to the '${INT_NETWORK}' network.
+    LOCAL_SSD_COUNT     The number of local ssd counts. Defaults to ${LOCAL_SSD_COUNT}.
+    MACHINE_TYPE        The type of machine to use for nodes. Defaults to ${MACHINE_TYPE}.
+    NUM_NODES           The number of nodes to be created in each of the cluster's zones. Defaults to ${NUM_NODES}.
+    PREEMPTIBLE         Create nodes using preemptible VM instances in the new cluster. Defaults to ${PREEMPTIBLE}.
+    REGION              Compute region for the cluster. Defaults to ${REGION}.
+    USE_LOCAL_SSD       Flag to create a cluster with local SSDs. Defaults to ${USE_LOCAL_SSD}.
+    ZONE                Compute zone for the cluster. Defaults to ${ZONE}.
+    ZONE_EXTENSION      Compute zone extension for the cluster. Defaults to ${ZONE_EXTENSION}.
+
+    EXTRA_CREATE_ARGS   Extra arguments passed to create command.
+EOF
+}
+
+if [ -z "$1" ]; then
+  gke_help
+  exit 1
+fi
+
+case $1 in
+  up)
+    bootstrap;
+    ;;
+  down)
+    cleanup_gke_resources;
+    ;;
+  *)
+    echo "Unknown command $1";
+    exit 1;
+  ;;
+esac
diff --git a/charts/sn-platform/conf/toolset/pulsar/prepare_helm_release.sh b/charts/sn-platform/conf/toolset/pulsar/prepare_helm_release.sh
new file mode 100755
index 000000000..68e55a300
--- /dev/null
+++ b/charts/sn-platform/conf/toolset/pulsar/prepare_helm_release.sh
@@ -0,0 +1,159 @@
+#!/usr/bin/env bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+CHART_HOME=$(unset CDPATH && cd $(dirname "${BASH_SOURCE[0]}")/../.. && pwd)
+cd ${CHART_HOME}
+
+usage() {
+    cat <<EOF
+This script is used to bootstrap the pulsar namespace before deploying a helm chart. 
+Options:
+       -h,--help                                prints the usage message
+       -n,--namespace                           the k8s namespace to install the pulsar helm chart
+       -k,--release                             the pulsar helm release name
+       -s,--symmetric                           generate symmetric secret key. If not provided, an asymmetric pair of keys are generated.
+       --pulsar-superusers                      the superusers of pulsar cluster. a comma separated list of super users.
+       -c,--create-namespace                    flag to create k8s namespace.
+       --gcs-offloader-service-account-keyfile  the path of key file of GCS offloader service account.
+Usage:
+    $0 --namespace pulsar --release pulsar-release
+EOF
+}
+
+symmetric=false
+create_namespace=false
+gcs_offloader_enabled=false
+
+while [[ $# -gt 0 ]]
+do
+key="$1"
+
+case $key in
+    -n|--namespace)
+    namespace="$2"
+    shift
+    shift
+    ;;
+    -c|--create-namespace)
+    create_namespace=true
+    shift
+    ;;
+    -k|--release)
+    release="$2"
+    shift
+    shift
+    ;;
+    --gcs-offloader-service-account-keyfile)
+    gcs_offloader_service_account_keyfile="$2"
+    gcs_offloader_enabled=true
+    shift
+    shift
+    ;;
+    --pulsar-superusers)
+    pulsar_superusers="$2"
+    shift
+    shift
+    ;;
+    -s|--symmetric)
+    symmetric=true
+    shift
+    ;;
+    -h|--help)
+    usage
+    exit 0
+    ;;
+    *)
+    echo "unknown option: $key"
+    usage
+    exit 1
+    ;;
+esac
+done
+
+namespace=${namespace:-pulsar}
+release=${release:-pulsar-dev}
+gcs_offloader_service_account_keyfile=${gcs_offloader_service_account_keyfile:-"/pulsar/keys/gcs.json"}
+pulsar_superusers=${pulsar_superusers:-"proxy-admin,broker-admin,admin,pulsar-manager-admin"}
+
+function generate_gcs_offloader_service_account_keyfile() {
+    local secret_name="${release}-gcs-offloader-service-account"
+    /pulsar/kubectl create secret generic ${secret_name} -n ${namespace} \
+        --from-file="gcs.json=${gcs_offloader_service_account_keyfile}"
+}
+
+pulsar_superusers=${pulsar_superusers:-"proxy-admin,broker-admin,admin,pulsar-manager-admin"}
+
+function do_create_namespace() {
+    if [[ "${create_namespace}" == "true" ]]; then
+        /pulsar/kubectl create namespace ${namespace}
+    fi
+}
+
+do_create_namespace
+
+if [[ "${gcs_offloader_enabled}" == "true" ]]; then
+    echo "create the credentials for the service account key file (offload data to gcs)"
+    generate_gcs_offloader_service_account_keyfile
+fi
+
+extra_opts=""
+if [[ "${symmetric}" == "true" ]]; then
+  extra_opts="${extra_opts} -s"
+fi
+
+echo "generate the token keys for the pulsar cluster"
+${CHART_HOME}/scripts/pulsar/generate_token_secret_key.sh -n ${namespace} -k ${release} ${extra_opts}
+
+echo "generate the tokens for the super-users: ${pulsar_superusers}"
+
+IFS=', ' read -r -a superusers <<< "$pulsar_superusers"
+for user in "${superusers[@]}"
+do
+    echo "generate the token for $user"
+    ${CHART_HOME}/scripts/pulsar/generate_token.sh -n ${namespace} -k ${release} -r ${user} ${extra_opts} 
+done
+
+echo "-------------------------------------"
+echo
+echo "The jwt token secret keys are generated under:"
+if [[ "${symmetric}" == "true" ]]; then
+    echo "    - '${release}-token-symmetric-key'"
+else
+    echo "    - '${release}-token-asymmetric-key'"
+fi
+echo
+
+echo "The jwt tokens for superusers are generated and stored as below:"
+for user in "${superusers[@]}"
+do
+    echo "    - '${user}':secret('${release}-token-${user}')"
+done
+echo
+
+echo "The credentials of the administrator of Control Center (Grafana & Pulsar Manager)"
+echo "is stored at secret '${release}-admin-secret"
+
+if [[ "${gcs_offloader_enabled}" == "true" ]]; then
+    echo "The credentials of the key file of GCS offloader"
+    echo "is stored at secret '${release}-gcs-offloader-service-account"
+fi
+
+echo
+
diff --git a/charts/sn-platform/conf/toolset/pulsar/setup-clouddns-resolver-service-account.sh b/charts/sn-platform/conf/toolset/pulsar/setup-clouddns-resolver-service-account.sh
new file mode 100755
index 000000000..1c4afed80
--- /dev/null
+++ b/charts/sn-platform/conf/toolset/pulsar/setup-clouddns-resolver-service-account.sh
@@ -0,0 +1,53 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+#!/usr/bin/env bash
+
+set -e
+
+if [ $# -lt 4 ]; then
+    cat <<EOF
+Usage: setup-clouddns-resolver-service-account.sh <google-project-id> <resolver-name> <helm-release-name> <namespace>
+EOF
+    exit 1;
+fi
+
+PROJECT_ID=$1
+RESOLVER_NAME=$2
+HELM_RELEASE=$3
+NAMESPACE=$4
+
+echo "Create a service acccount : ${RESOLVER_NAME}."
+gcloud iam service-accounts create ${RESOLVER_NAME} --display-name "${RESOLVER_NAME}"
+
+echo "Bind service account '${RESOLVER_NAME}' as role 'dns.admin'."
+gcloud projects add-iam-policy-binding $PROJECT_ID \
+   --member serviceAccount:${RESOLVER_NAME}@$PROJECT_ID.iam.gserviceaccount.com \
+   --role roles/dns.admin
+
+echo "Create a key for service account '${RESOLVER_NAME}' as role 'dns.admin'."
+gcloud iam service-accounts keys create ${RESOLVER_NAME}-key.json \
+   --iam-account ${RESOLVER_NAME}@$PROJECT_ID.iam.gserviceaccount.com
+
+echo "Save the service account key as a kubernete secret '${HELM_RELEASE}-${RESOLVER_NAME}-svc-acct' in namespace '${NAMESPACE}'."
+/pulsar/kubectl create secret generic ${HELM_RELEASE}-${RESOLVER_NAME}-svc-acct \
+   --from-file=${RESOLVER_NAME}-key.json -n ${NAMESPACE}
+
+echo "Remove the generated key."
+rm ${RESOLVER_NAME}-key.json
\ No newline at end of file
diff --git a/charts/sn-platform/conf/toolset/pulsar/upload-lets-encrypt-ca.sh b/charts/sn-platform/conf/toolset/pulsar/upload-lets-encrypt-ca.sh
new file mode 100755
index 000000000..d84b9cefb
--- /dev/null
+++ b/charts/sn-platform/conf/toolset/pulsar/upload-lets-encrypt-ca.sh
@@ -0,0 +1,33 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+#!/usr/bin/env bash
+
+BINDIR=`dirname "$0"`
+HELM_HOME=`cd $BINDIR/../..;pwd`
+
+cd $HELM_HOME/hack/pulsar/conf
+
+CA_NAME=lets-encrypt-x3-cross-signed
+PEM="${CA_NAME}.pem"
+
+NAMESPACE=$1
+
+/pulsar/kubectl create secret generic ${CA_NAME}  \
+   --from-file=${PEM} -n ${NAMESPACE}
diff --git a/charts/sn-platform/conf/toolset/pulsar/upload_tls.sh b/charts/sn-platform/conf/toolset/pulsar/upload_tls.sh
new file mode 100755
index 000000000..94b3f764d
--- /dev/null
+++ b/charts/sn-platform/conf/toolset/pulsar/upload_tls.sh
@@ -0,0 +1,135 @@
+#!/usr/bin/env bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+set -e
+
+CHART_HOME=$(unset CDPATH && cd $(dirname "${BASH_SOURCE[0]}")/../.. && pwd)
+cd ${CHART_HOME}
+
+namespace=${namespace:-pulsar}
+release=${release:-pulsar-dev}
+tlsdir=${tlsdir:-"${HOME}/.config/pulsar/security_tool/gen/ca"}
+clientComponents=${clientComponents:-""}
+serverComponents=${serverComponents:-"bookie,broker,proxy,recovery,zookeeper,toolset"}
+
+usage() {
+    cat <<EOF
+This script is used to upload tls for a given pulsar helm deployment.
+The tls certs are generated by using "pulsarctl security-tool".
+Options:
+       -h,--help                        prints the usage message
+       -n,--namespace                   the k8s namespace to install the pulsar helm chart. Defaut to ${namespace}.
+       -k,--release                     the pulsar helm release name. Default to ${release}.
+       -d,--dir                         the dir for storing tls certs. Default to ${tlsdir}.
+       -c,--client-components           the client components of pulsar cluster. a comma separated list of components. Default to ${clientComponents}.
+       -s,--server-components           the server components of pulsar cluster. a comma separated list of components. Default to ${serverComponents}.
+Usage:
+    $0 --namespace pulsar --release pulsar-dev
+EOF
+}
+
+while [[ $# -gt 0 ]]
+do
+key="$1"
+
+case $key in
+    -n|--namespace)
+    namespace="$2"
+    shift
+    shift
+    ;;
+    -k|--release)
+    release="$2"
+    shift
+    shift
+    ;;
+    -d|--dir)
+    tlsdir="$2"
+    shift
+    shift
+    ;;
+    -c|--client-components)
+    clientComponents="$2"
+    shift
+    shift
+    ;;
+    -s|--server-components)
+    serverComponents="$2"
+    shift
+    shift
+    ;;
+    -h|--help)
+    usage
+    exit 0
+    ;;
+    *)
+    echo "unknown option: $key"
+    usage
+    exit 1
+    ;;
+esac
+done
+
+ca_cert_file=${tlsdir}/certs/ca.cert.pem
+
+function upload_ca() {
+    local tls_ca_secret="${release}-ca-tls"
+    /pulsar/kubectl create secret generic ${tls_ca_secret} -n ${namespace} --from-file="ca.crt=${ca_cert_file}"
+}
+
+function upload_server_cert() {
+    local component=$1
+    local server_cert_secret="${release}-tls-${component}"
+    local tls_cert_file="${tlsdir}/servers/${component}/${component}.cert.pem"
+    local tls_key_file="${tlsdir}/servers/${component}/${component}.key-pk8.pem"
+
+    /pulsar/kubectl create secret generic ${server_cert_secret} \
+        -n ${namespace} \
+        --from-file="tls.crt=${tls_cert_file}" \
+        --from-file="tls.key=${tls_key_file}" \
+        --from-file="ca.crt=${ca_cert_file}"
+}
+
+function upload_client_cert() {
+    local component=$1
+    local client_cert_secret="${release}-tls-${component}"
+    local tls_cert_file="${tlsdir}/clients/${component}/${component}.cert.pem"
+    local tls_key_file="${tlsdir}/clients/${component}/${component}.key-pk8.pem"
+
+    /pulsar/kubectl create secret generic ${client_cert_secret} \
+        -n ${namespace} \
+        --from-file="tls.crt=${tls_cert_file}" \
+        --from-file="tls.key=${tls_key_file}" \
+        --from-file="ca.crt=${ca_cert_file}"
+}
+
+upload_ca
+
+IFS=', ' read -r -a server_components <<< "$serverComponents"
+for component in "${server_components[@]}"
+do
+    upload_server_cert ${component}
+done
+
+IFS=', ' read -r -a client_components <<< "$clientComponents"
+for component in "${client_components[@]}"
+do
+    upload_client_cert ${component}
+done
diff --git a/charts/sn-platform/templates/toolset/jwt-secret-init-config.yaml b/charts/sn-platform/templates/toolset/jwt-secret-init-config.yaml
new file mode 100644
index 000000000..90335263c
--- /dev/null
+++ b/charts/sn-platform/templates/toolset/jwt-secret-init-config.yaml
@@ -0,0 +1,31 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+{{- if and .Values.initialize .Values.auth.authentication.enabled .Values.auth.authentication.jwt.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: "{{ template "pulsar.fullname" . }}-jwt-secret-init-config"
+  namespace: {{ template "pulsar.namespace" . }}
+  labels:
+    {{- include "pulsar.standardLabels" . | nindent 4 }}
+    component: {{ .Values.toolset.component }}
+data:
+{{ (.Files.Glob "conf/toolset/pulsar/*").AsConfig | indent 2 }}
+{{ end }}
\ No newline at end of file
diff --git a/charts/sn-platform/templates/toolset/jwt-secret-init-job-service-account.yaml b/charts/sn-platform/templates/toolset/jwt-secret-init-job-service-account.yaml
new file mode 100644
index 000000000..3648aedc5
--- /dev/null
+++ b/charts/sn-platform/templates/toolset/jwt-secret-init-job-service-account.yaml
@@ -0,0 +1,57 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+{{- if and .Values.initialize .Values.auth.authentication.enabled .Values.auth.authentication.jwt.enabled }}
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: {{ template "pulsar.fullname" . }}-jwt-secret-init-acct
+  namespace: {{ template "pulsar.namespace" . }}
+  labels:
+    {{- include "pulsar.standardLabels" . | nindent 4 }}
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "pulsar.fullname" . }}-jwt-secret-init-acct-role
+  namespace: {{ template "pulsar.namespace" . }}
+  labels:
+    {{- include "pulsar.standardLabels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["*"]
+---
+
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "pulsar.fullname" . }}-jwt-secret-init-acct-rolebinding
+  namespace: {{ template "pulsar.namespace" . }}
+  labels:
+    {{- include "pulsar.standardLabels" . | nindent 4 }}
+roleRef:
+  kind: Role
+  name: {{ template "pulsar.fullname" . }}-jwt-secret-init-acct-role
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "pulsar.fullname" . }}-jwt-secret-init-acct
+    namespace: {{ template "pulsar.namespace" . }}
+
+{{- end }}
diff --git a/charts/sn-platform/templates/toolset/jwt-secret-init-job.yaml b/charts/sn-platform/templates/toolset/jwt-secret-init-job.yaml
new file mode 100644
index 000000000..90fc48a57
--- /dev/null
+++ b/charts/sn-platform/templates/toolset/jwt-secret-init-job.yaml
@@ -0,0 +1,82 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+{{- if and .Values.initialize .Values.auth.authentication.enabled .Values.auth.authentication.jwt.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: "{{ template "pulsar.fullname" . }}-jwt-secret-init-{{ lower (randAlphaNum 6) }}"
+  namespace: {{ template "pulsar.namespace" . }}
+  labels:
+    {{- include "pulsar.standardLabels" . | nindent 4 }}
+{{- with .Values.toolset.labels }}
+{{ toYaml . | indent 4 }}
+{{- end }}
+  annotations:
+{{- with .Values.toolset.annotations }}
+{{ toYaml . | indent 4 }}
+{{- end }}
+spec:
+  template:
+    metadata:
+      labels:
+        {{- include "pulsar.template.labels" . | nindent 8 }}
+{{- if .Values.toolset.labels }}    
+{{ toYaml .Values.toolset.labels | indent 8 }}
+{{- end }}
+      annotations:
+{{- if .Values.toolset.annotations }}    
+{{ toYaml .Values.toolset.annotations | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ template "pulsar.fullname" . }}-jwt-secret-init-acct
+      volumes:
+      - name: {{ template "pulsar.fullname" . }}-jwt-secret-init-config
+        configMap:
+          name: {{ template "pulsar.fullname" . }}-jwt-secret-init-config
+      containers:
+      - name: "{{ template "pulsar.fullname" . }}-jwt-secret-init"
+        image: "{{ .Values.images.toolset.repository }}:{{ .Values.images.toolset.tag }}"
+        imagePullPolicy: {{ .Values.images.toolset.pullPolicy }}
+        command: ["bash", "-c"]
+        args:
+          - >
+            curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl";
+            chmod +x /pulsar/kubectl;
+            mkdir -p scripts/pulsar;
+            cp scripts/jwt-secret-config/* scripts/pulsar;
+            chmod +x scripts/pulsar/*;
+            usingSecretKey={{ .Values.auth.authentication.jwt.usingSecretKey }};
+            if [ "${usingSecretKey}" = "true" ]; then
+              ./scripts/pulsar/prepare_helm_release.sh -n {{ template "pulsar.namespace" . }} -k {{ .Release.Name }} --symmetric;
+            else 
+              ./scripts/pulsar/prepare_helm_release.sh -n {{ template "pulsar.namespace" . }} -k {{ .Release.Name }};
+            fi;
+      {{- if .Values.toolset.resources }}
+        resources:
+{{ toYaml .Values.toolset.resources | indent 10 }}
+      {{- end }}
+        volumeMounts:
+        - mountPath: /pulsar/scripts/jwt-secret-config
+          name: {{ template "pulsar.fullname" . }}-jwt-secret-init-config
+      restartPolicy: Never
+      {{- if .Values.toolset.securityContext }}
+      securityContext: {{- toYaml .Values.toolset.securityContext | nindent 8 }}
+      {{- end }}
+{{- end }}
\ No newline at end of file