diff --git a/manifests/tmc-sm.tanzu.japan.com/1.4.0/README.md b/manifests/tmc-sm.tanzu.japan.com/1.4.0/README.md
new file mode 100644
index 0000000..d6c73bd
--- /dev/null
+++ b/manifests/tmc-sm.tanzu.japan.com/1.4.0/README.md
@@ -0,0 +1,10 @@
+```
+export DOMAIN=tmc-sm.my-domain
+```
+
+```
+openssl genrsa -out /tmp/${DOMAIN}.key
+openssl req -x509 -new -sha256 -days 3650 -nodes \
+ -key /tmp/${DOMAIN}.key -out /tmp/${DOMAIN}.cer \
+ -subj /CN=${DOMAIN}
+```
diff --git a/manifests/tmc-sm.tanzu.japan.com/1.4.0/certmanager/certmanager.yaml b/manifests/tmc-sm.tanzu.japan.com/1.4.0/certmanager/certmanager.yaml
new file mode 100644
index 0000000..ebaa9b7
--- /dev/null
+++ b/manifests/tmc-sm.tanzu.japan.com/1.4.0/certmanager/certmanager.yaml
@@ -0,0 +1,99 @@
+#@ load("@ytt:data", "data")
+#@ load("@ytt:overlay", "overlay")
+#@ load("@ytt:base64", "base64")
+#@ load("@ytt:yaml", "yaml")
+
+#@ if data.values.certmanager.enabled:
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: certmanager-install
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kapp-sa
+  namespace: certmanager-install
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: certmanager-kapp-role-binding
+  namespace: certmanager-install
+subjects:
+- kind: ServiceAccount
+  name: kapp-sa
+  namespace: certmanager-install
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+#@ if data.values.certmanager.package_repo.install:
+---
+apiVersion: packaging.carvel.dev/v1alpha1
+kind: PackageRepository
+metadata:
+  name: tds-pack
+  namespace: certmanager-install
+  annotations:
+    kapp.k14s.io/change-group: "pkgr"
+spec:
+  fetch:
+    imgpkgBundle:
+      image: #@ data.values.certmanager.package_repo.repo + ":" + data.values.certmanager.package_repo.version
+#@ end
+#@ if data.values.certmanager.package.install:
+---
+apiVersion: packaging.carvel.dev/v1alpha1
+kind: PackageInstall
+metadata:
+  name: cert-manager
+  namespace: certmanager-install
+  annotations:
+    kapp.k14s.io/change-group: "pkg"
+spec:
+  packageRef:
+    refName: cert-manager.tanzu.vmware.com
+    versionSelection:
+      constraints: ">0.0.0"
+  serviceAccountName: kapp-sa
+#@ end
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: clusterissuers.cert-manager.io
+  annotations:
+    kapp.k14s.io/exists: ""
+    kapp.k14s.io/change-group: "tkcrd"
+    kapp.k14s.io/change-rule: "upsert after upserting pkg"
+spec:
+  group: cert-manager.io
+  versions:
+    - name: v1
+  names:
+    kind: ClusterIssuer
+  scope: Cluster
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: tmc-local-issuer
+  annotations:
+    kapp.k14s.io/change-rule: "upsert after upserting tkcrd"
+spec:
+  ca:
+    secretName: ca-key-pair
+---
+apiVersion: v1
+data:
+  tls.crt: #@ base64.encode(data.values.ca.crt)
+  tls.key: #@ base64.encode(data.values.ca.key)
+kind: Secret
+metadata:
+  name: ca-key-pair
+  namespace: cert-manager
+  annotations:
+    kapp.k14s.io/change-rule: "upsert after upserting tkcrd"
+type: kubernetes.io/tls
+#@ end
diff --git a/manifests/tmc-sm.tanzu.japan.com/1.4.0/dex/dex.yaml b/manifests/tmc-sm.tanzu.japan.com/1.4.0/dex/dex.yaml
new file mode 100644
index 0000000..5e3910c
--- /dev/null
+++ b/manifests/tmc-sm.tanzu.japan.com/1.4.0/dex/dex.yaml
@@ -0,0 +1,100 @@
+#@ load("@ytt:data", "data")
+#@ load("@ytt:overlay", "overlay")
+#@ load("@ytt:base64", "base64")
+#@ load("@ytt:yaml", "yaml")
+
+#@ def dex_config():
+#@overlay/match missing_ok=True
+#@overlay/match-child-defaults missing_ok=True
+domain: #@ data.values.domain
+
+namespace: tmc-sm-dex
+
+static:
+  secret: #@ data.values.oidc.secret
+  callbacks:
+  - #@ "https://pinniped-supervisor." + data.values.domain + "/provider/pinniped/callback"
+openldap:
+  enabled: true
+  rootdn: dc=tmc,dc=dev
+  group: usergroups
+  ldif: #@ data.values.openldap.ldif
+#@ end
+
+#@ if data.values.dex.enabled:
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: dex-install
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kapp-sa
+  namespace: dex-install
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: dex-kapp-role-binding
+  namespace: dex-install
+subjects:
+- kind: ServiceAccount
+  name: kapp-sa
+  namespace: dex-install
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+---
+apiVersion: packaging.carvel.dev/v1alpha1
+kind: PackageInstall
+metadata:
+  name: dex
+  namespace: dex-install
+  annotations:
+    kapp.k14s.io/change-group: "dexpkg"
+spec:
+  serviceAccountName: kapp-sa
+  packageRef:
+    refName: dex.tanzu.japan.com
+    versionSelection:
+      constraints: #@ data.values.dex.version
+  values:
+  - secretRef:
+      name: change-default-secret
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: change-default-secret
+  namespace: dex-install
+stringData:
+  change-default-reg-secret.yml: #@ yaml.encode(overlay.apply(dex_config()))
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: dex
+  annotations:
+    cert-manager.io/cluster-issuer: tmc-local-issuer
+    kapp.k14s.io/change-rule: "upsert after upserting dexpkg"
+  namespace: tmc-sm-dex
+spec:
+  ingressClassName: tmc-local
+  rules:
+  - host: #@ "dex." + data.values.domain
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: dex
+            port:
+              number: 5556
+  tls:
+  - hosts:
+    - #@ "dex." + data.values.domain
+    secretName: dex-cert
+#@ end
diff --git a/manifests/tmc-sm.tanzu.japan.com/1.4.0/tmc/hack.yaml b/manifests/tmc-sm.tanzu.japan.com/1.4.0/tmc/hack.yaml
new file mode 100644
index 0000000..8bf49c2
--- /dev/null
+++ b/manifests/tmc-sm.tanzu.japan.com/1.4.0/tmc/hack.yaml
@@ -0,0 +1,37 @@
+#@ load("@ytt:data", "data")
+#@ load("@ytt:overlay", "overlay")
+#@ load("@ytt:base64", "base64")
+#@ load("@ytt:yaml", "yaml")
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ldap-overlay-secret
+  namespace: tmc-local
+stringData:
+  addscope.yaml: |
+    #@ load("@ytt:data", "data")
+    #@ load("@ytt:overlay", "overlay")
+    ---
+    #@overlay/match by=overlay.subset({"kind":"OIDCIdentityProvider", "metadata": {"name": "pinniped-upstream"}})
+    ---
+    spec:
+      authorizationConfig:
+        additionalScopes:
+        - groups
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: tmc-overlay-override
+  namespace: tmc-local
+stringData:
+  patch-oidc.yaml: |
+    #@ load("@ytt:overlay", "overlay")
+    #@overlay/match by=overlay.subset({"kind":"PackageInstall", "metadata": {"name": "tmc-local-stack"}})
+    ---
+    metadata:
+      annotations:
+        #@overlay/match missing_ok=True
+        ext.packaging.carvel.dev/ytt-paths-from-secret-name.0: ldap-overlay-secret
diff --git a/manifests/tmc-sm.tanzu.japan.com/1.4.0/tmc/tmc.yaml b/manifests/tmc-sm.tanzu.japan.com/1.4.0/tmc/tmc.yaml
new file mode 100644
index 0000000..ed1b930
--- /dev/null
+++ b/manifests/tmc-sm.tanzu.japan.com/1.4.0/tmc/tmc.yaml
@@ -0,0 +1,92 @@
+#@ load("@ytt:data", "data")
+#@ load("@ytt:overlay", "overlay")
+#@ load("@ytt:base64", "base64")
+#@ load("@ytt:yaml", "yaml")
+
+#@ def tmc_config():
+#@overlay/match missing_ok=True
+#@overlay/match-child-defaults missing_ok=True
+clusterIssuer: tmc-local-issuer
+
+contourEnvoy:
+  serviceType: LoadBalancer
+
+dnsZone: #@ data.values.domain
+harborProject: #@ data.values.tmc.repo
+
+oidc:
+  issuerType: pinniped
+  issuerURL: #@ "https://dex." + data.values.domain + "/dex"
+  clientID: dex-authenticator
+  clientSecret: #@ data.values.oidc.secret
+postgres:
+  userPassword: #@ data.values.tmc.postgres.password
+minio:
+  username: #@ data.values.tmc.minio.username
+  password: #@ data.values.tmc.minio.password
+trustedCAs:
+  local-ca.crt: #@ data.values.ca.crt
+#@ end
+
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: tmc-local
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kapp-sa
+  namespace: tmc-local
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: tmc-kapp-role-binding
+  namespace: tmc-local
+subjects:
+- kind: ServiceAccount
+  name: kapp-sa
+  namespace: tmc-local
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+---
+apiVersion: packaging.carvel.dev/v1alpha1
+kind: PackageRepository
+metadata:
+  name: tanzu-mission-control-packages
+  namespace: tmc-local
+  annotations:
+    kapp.k14s.io/change-group: "tmcpkgr"
+spec:
+  fetch:
+    imgpkgBundle:
+      image: #@  data.values.tmc.repo + "/package-repository:" + data.values.tmc.version
+---
+apiVersion: packaging.carvel.dev/v1alpha1
+kind: PackageInstall
+metadata:
+  name: tmc
+  namespace: tmc-local
+  annotations:
+    ext.packaging.carvel.dev/ytt-paths-from-secret-name.0: tmc-overlay-override
+    kapp.k14s.io/change-rule: "upsert after upserting tmcpkgr"
+spec:
+  serviceAccountName: kapp-sa
+  packageRef:
+    refName: tmc.tanzu.vmware.com
+    versionSelection:
+      constraints: ">0.0.0"
+  values:
+  - secretRef:
+      name: change-default-secret
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: change-default-secret
+  namespace: tmc-local
+stringData:
+  change-default-reg-secret.yml: #@ yaml.encode(overlay.apply(tmc_config()))
diff --git a/manifests/tmc-sm.tanzu.japan.com/1.4.0/values.yaml b/manifests/tmc-sm.tanzu.japan.com/1.4.0/values.yaml
new file mode 100644
index 0000000..746605d
--- /dev/null
+++ b/manifests/tmc-sm.tanzu.japan.com/1.4.0/values.yaml
@@ -0,0 +1,62 @@
+#@data/values-schema
+---
+domain: example.com
+
+ca:
+  crt: dummy
+  key: dummy
+
+certmanager:
+  enabled: true
+  package_repo: 
+    install: false
+    repo: projects.registry.vmware.com/tkg/packages/standard/repo
+    version: 2.2.0
+  package:
+    install: true
+
+dex:
+  enabled: true
+  version: 0.14.3  
+
+oidc:
+  secret: randomsecret
+
+tmc:
+  repo: internalrepo.com/tmc
+  postgres:
+    password: Passw0rd
+  minio:
+    username: root
+    password: Passw0rd
+
+openldap:
+  ldif: |
+    dn: dc=tmc,dc=dev
+    objectClass: dcObject
+    objectclass: organization
+    o: tmc
+    dc: tmc
+    
+    dn: ou=usergroups,dc=tmc,dc=dev
+    objectClass: organizationalUnit
+    objectClass: top
+    ou: usergroups
+    
+    dn: cn=tmc01,ou=usergroups,dc=tmc,dc=dev
+    cn: tmc01
+    sn: tmc01
+    objectClass: inetOrgPerson
+    objectClass: posixAccount
+    objectClass: shadowAccount
+    userPassword: VMware1!
+    uid: tmc01
+    mail: tmc01@tmc.com
+    uidNumber: 1000
+    gidNumber: 1000
+    homeDirectory: /home/user01
+    
+    dn: cn=tmc:admin,ou=usergroups,dc=tmc,dc=dev
+    cn: tmc:admin
+    objectClass: groupOfNames
+    member: cn=tmc01,ou=usergroups,dc=tmc,dc=dev