diff --git a/.gitlab/merge_request_templates/new_feature.md b/.gitlab/merge_request_templates/new_feature.md
index 74abae94c94dc0768bb5c51fe51ad253fce113fe..491b7f98ded7e0da03d18c95978eafcb7d86619f 100644
--- a/.gitlab/merge_request_templates/new_feature.md
+++ b/.gitlab/merge_request_templates/new_feature.md
@@ -8,8 +8,8 @@ Closes #999
 ## Checklist
 
 * General:
-    * [ ] use [rules](https://docs.gitlab.com/ee/ci/yaml/#rules) instead of [only/except](https://docs.gitlab.com/ee/ci/yaml/#onlyexcept-advanced)
-    * [ ] optimized [cache](https://docs.gitlab.com/ee/ci/caching/) configuration (wherever applicable)
+    * [ ] use [rules](https://docs.gitlab.com/ci/yaml/#rules) instead of [only/except](https://docs.gitlab.com/ci/yaml/#onlyexcept-advanced)
+    * [ ] optimized [cache](https://docs.gitlab.com/ci/caching/) configuration (wherever applicable)
 * Publicly usable:
     * [ ] untagged runners
     * [ ] no proxy configuration but support `http_proxy`/`https_proxy`/`no_proxy`
diff --git a/CHANGELOG.md b/CHANGELOG.md
index cc56d2e34862005eb75be743508be383467582a3..a61f47aa91b25360578e6ccf80aee5877f669f24 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,4 +1,61 @@
-# [6.5.0](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/kubernetes/compare/6.4.0...6.5.0) (2025-01-29)
+## [7.3.1](https://gitlab.com/to-be-continuous/kubernetes/compare/7.3.0...7.3.1) (2025-04-11)
+
+
+### Bug Fixes
+
+* **envsubst:** leave lines with '# nosubst' unchanged when substituting (used to be simply dropped) ([f8164e7](https://gitlab.com/to-be-continuous/kubernetes/commit/f8164e79e74a592742ceb94b23aa7cfdfc845798)), closes [#50](https://gitlab.com/to-be-continuous/kubernetes/issues/50)
+
+# [7.3.0](https://gitlab.com/to-be-continuous/kubernetes/compare/7.2.1...7.3.0) (2025-03-10)
+
+
+### Features
+
+* skip GCP ADC authent when GCP_JWT is not present ([9ffc632](https://gitlab.com/to-be-continuous/kubernetes/commit/9ffc6327e2f6b1f9775457eb413799d4ca4090c3))
+
+## [7.2.1](https://gitlab.com/to-be-continuous/kubernetes/compare/7.2.0...7.2.1) (2025-02-25)
+
+
+### Bug Fixes
+
+* **security:** remove generated-deployment.yml from artifact ([24ea8bd](https://gitlab.com/to-be-continuous/kubernetes/commit/24ea8bde6ffa706d8f42694872242050f2c574e1))
+
+# [7.2.0](https://gitlab.com/to-be-continuous/kubernetes/compare/7.1.1...7.2.0) (2025-02-24)
+
+
+### Features
+
+* **AWS:** add AWS authent with STS ([a08a897](https://gitlab.com/to-be-continuous/kubernetes/commit/a08a897a2615d0c7e984ebee8842d795cf6d84b9))
+
+## [7.1.1](https://gitlab.com/to-be-continuous/kubernetes/compare/7.1.0...7.1.1) (2025-02-03)
+
+
+### Bug Fixes
+
+* **gcp:** reduce scope of GCP App Default Creds script to template ([8a3c727](https://gitlab.com/to-be-continuous/kubernetes/commit/8a3c72777b9bcc1dbb205464903c00feb6ccf753))
+
+# [7.1.0](https://gitlab.com/to-be-continuous/kubernetes/compare/7.0.0...7.1.0) (2025-02-01)
+
+
+### Features
+
+* **kustomize:** add TBC envsubst support for Kustomize based deployment ([ad7d3b6](https://gitlab.com/to-be-continuous/kubernetes/commit/ad7d3b65573396c8f9b5ca04447398fe3c89e3e6))
+
+# [7.0.0](https://gitlab.com/to-be-continuous/kubernetes/compare/6.5.0...7.0.0) (2025-01-31)
+
+
+### Features
+
+* variables substitution enhancements ([4023f7f](https://gitlab.com/to-be-continuous/kubernetes/commit/4023f7f862fd89b30067c6d548d4dbf06016f622))
+
+
+### BREAKING CHANGES
+
+* Now the variables substitution mechanism
+implements complete YAML string encoding.
+That might break projects that used to workaround the former
+implementation flaws.
+
+# [6.5.0](https://gitlab.com/to-be-continuous/kubernetes/compare/6.4.0...6.5.0) (2025-01-27)
 
 
 ### Features
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 75dde80ed4e2add1a02edc71344d8da2a542ddbe..f081d57839dbf5221d3298a7493d31364bb03e33 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -61,7 +61,7 @@ To contribute:
 
 1. Create an issue describing the bug or enhancement you want to propose (select the right issue template).
 2. Make sure the issue has been reviewed and agreed.
-3. Create a Merge Request, from your **own** fork (see [forking workflow](https://docs.gitlab.com/ee/user/project/repository/forking_workflow.html) documentation).
+3. Create a Merge Request, from your **own** fork (see [forking workflow](https://docs.gitlab.com/user/project/repository/forking_workflow/) documentation).
    Don't hesitate to mark your MR as `Draft` as long as you think it's not ready to be reviewed.
 
 ### Git Commit Conventions
diff --git a/README.md b/README.md
index d7b3de63a14d9c6f7a1ca2f41530fac625a1c079..8a324b916de54eb1be5e7d3eab29ebf245358f27 100644
--- a/README.md
+++ b/README.md
@@ -6,8 +6,8 @@ or [Kustomize](https://kubernetes.io/docs/tasks/manage-kubernetes-objects/kustom
 
 ## Usage
 
-This template can be used both as a [CI/CD component](https://docs.gitlab.com/ee/ci/components/#use-a-component) 
-or using the legacy [`include:project`](https://docs.gitlab.com/ee/ci/yaml/index.html#includeproject) syntax.
+This template can be used both as a [CI/CD component](https://docs.gitlab.com/ci/components/#use-a-component) 
+or using the legacy [`include:project`](https://docs.gitlab.com/ci/yaml/#includeproject) syntax.
 
 ### Use as a CI/CD component
 
@@ -16,7 +16,7 @@ Add the following to your `.gitlab-ci.yml`:
 ```yaml
 include:
   # 1: include the component
-  - component: $CI_SERVER_FQDN/to-be-continuous/kubernetes/gitlab-ci-k8s@6.5.0
+  - component: $CI_SERVER_FQDN/to-be-continuous/kubernetes/gitlab-ci-k8s@7.3.1
     # 2: set/override component inputs
     inputs:
       # ⚠ this is only an example
@@ -35,7 +35,7 @@ Add the following to your `.gitlab-ci.yml`:
 include:
   # 1: include the template
   - project: 'to-be-continuous/kubernetes'
-    ref: '6.5.0'
+    ref: '7.3.1'
     file: '/templates/gitlab-ci-k8s.yml'
 
 variables:
@@ -71,7 +71,7 @@ _ongoing developments_ (a.k.a. _feature_ or _topic_ branches).
 When enabled, it deploys the result from upstream build stages to a dedicated and temporary environment.
 It is only active for non-production, non-integration branches.
 
-It is a strict equivalent of GitLab's [Review Apps](https://docs.gitlab.com/ee/ci/review_apps/) feature.
+It is a strict equivalent of GitLab's [Review Apps](https://docs.gitlab.com/ci/review_apps/) feature.
 
 It also comes with a _cleanup_ job (accessible either from the _environments_ page, or from the pipeline view).
 
@@ -99,8 +99,8 @@ You're free to enable whichever or both, and you can also choose your deployment
 
 The Kubernetes template supports 3 ways of login/accessing your Kubernetes cluster(s):
 
-1. Using [GitLab agents with the CI/CD workflow](https://docs.gitlab.com/ee/user/clusters/agent/ci_cd_workflow.html): when enabled, the template automatically retrieves and uses your Kubernetes cluster configuration (`KUBECONFIG` env),
-    :warning: don't forget to set the `KUBE_CONTEXT` variable (to `path/to/agent/project:agent-name`) as [stated in the documentation](https://docs.gitlab.com/ee/user/clusters/agent/ci_cd_workflow.html#environments-that-use-auto-devops).
+1. Using [GitLab agents with the CI/CD workflow](https://docs.gitlab.com/user/clusters/agent/ci_cd_workflow/): when enabled, the template automatically retrieves and uses your Kubernetes cluster configuration (`KUBECONFIG` env),
+    :warning: don't forget to set the `KUBE_CONTEXT` variable (to `path/to/agent/project:agent-name`) as [stated in the documentation](https://docs.gitlab.com/user/clusters/agent/ci_cd_workflow/#environments-that-use-auto-devops).
 2. By defining an explicit `kubeconfig` from env (either file or yaml content),
 3. By defining explicit `kubeconfig` **exploded parameters** from env: server url, server certificate authority and user token.
 
@@ -144,8 +144,8 @@ Examples (with an application's base name `myapp`):
 The Kubernetes template supports three techniques to deploy your code:
 
 1. script-based deployment,
-2. template-based deployment using raw Kubernetes manifests (with variables substitution),
-3. template-based deployment using [Kustomization files](https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/).
+2. template-based deployment using raw Kubernetes manifests (with [variables substitution](#variables-substitution-mechanism)),
+3. template-based deployment using [Kustomization files](https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/) (with [variables substitution](#variables-substitution-mechanism)).
 
 #### 1: script-based deployment
 
@@ -167,7 +167,7 @@ in your project structure, and let the GitLab CI template [`kubectl apply`](http
 The template processes the following steps:
 
 1. _optionally_ executes the `k8s-pre-apply.sh` script in your project to perform specific environment pre-initialization (for e.g. create required services),
-2. looks for your Kubernetes deployment file, performs [variables substitution](#using-variables) and [`kubectl apply`](https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#apply) it,
+2. looks for your Kubernetes deployment file, performs [variables substitution](#variables-substitution-mechanism) and [`kubectl apply`](https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#apply) it,
     1. look for a specific `deployment-$environment_type.yml` in your project (e.g. `deployment-staging.yml` for staging environment),
     2. fallbacks to default `deployment.yml`.
 3. _optionally_ executes the `k8s-post-apply.sh` script in your project to perform specific environment post-initialization stuff,
@@ -182,15 +182,12 @@ in your project structure, and let the template [`kubectl apply`](https://kubern
 The template processes the following steps:
 
 1. _optionally_ executes the `k8s-pre-apply.sh` script in your project to perform specific environment pre-initialization (for e.g. create required services),
-2. looks for your Kustomization file, performs variables substitution and [`kubectl apply`](https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#apply) it,
+2. looks for your Kustomization file, performs [variables substitution](#variables-substitution-mechanism), generates the manifests with [`kubectl kustomize`](https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#kustomize) and [`kubectl apply`](https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#apply) it,
     1. looks for an environment-specific [overlay](https://kubectl.docs.kubernetes.io/references/kustomize/glossary/#overlay) file `./$environment_type/kustomization.yaml` (e.g. `./staging/kustomization.yaml ` for staging environment),
     2. fallbacks to default `kustomization.yaml`.
 3. _optionally_ executes the `k8s-post-apply.sh` script in your project to perform specific environment post-initialization stuff,
 
 :warning: `k8s-pre-apply.sh` or `k8s-post-apply.sh` needs to be executable, you can add flag execution with:  `git update-index --chmod=+x k8s-pre-apply.sh`
-
-Variables substitution is performed by the deprecated feature from Kustomize based on `configMapGenerator`, using a non-valuated variable from a config map.
-
 #### Readiness script
 
 After deployment (either script-based or template-based), the GitLab CI template _optionally_ executes the `k8s-readiness-check.sh` hook script to wait & check for the application to be ready (if not found, the template assumes the application was successfully started).
@@ -202,7 +199,7 @@ After deployment (either script-based or template-based), the GitLab CI template
 The Kubernetes template supports three techniques to destroy an environment (actually only review environments):
 
 1. script-based deployment,
-2. template-based deployment using raw Kubernetes manifests (with variables substitution),
+2. template-based deployment using raw Kubernetes manifests (with [variables substitution](#variables-substitution-mechanism)),
 3. template-based deployment using [Kustomization files](https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/).
 
 #### 1: script-based cleanup
@@ -228,7 +225,7 @@ In this mode, you mainly let Kubernetes delete all objects from your Kubernetes
 The template processes the following steps:
 
 1. _optionally_ executes the `k8s-pre-cleanup.sh` script in your project to perform specific environment pre-cleanup stuff,
-2. looks for your Kubernetes deployment file, performs [variables substitution](#using-variables) and [`kubectl delete`](https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#apply) it,
+2. looks for your Kubernetes deployment file, performs [variables substitution](#variables-substitution-mechanism) and [`kubectl delete`](https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#apply) it,
     1. look for a specific `deployment-$environment_type.yml` in your project (e.g. `deployment-staging.yml` for staging environment),
     2. fallbacks to default `deployment.yml`.
 3. _optionally_ executes the `k8s-post-cleanup.sh` script in your project to perform specific environment post-cleanup (for e.g. delete bound services).
@@ -278,52 +275,43 @@ by using available environment variables:
        (ex: `MYPROJECT_REVIEW_FIX_BUG_12` or `MYPROJECT_STAGING`)
     * `${k8s_namespace}`: the Kubernetes namespace currently used for deployment/cleanup
     * `${hostname}`: the environment hostname, extracted from the current environment url (after late variable expansion - see below)
-2. any [GitLab CI variable](https://docs.gitlab.com/ee/ci/variables/predefined_variables.html)
-3. any [custom variable](https://docs.gitlab.com/ee/ci/variables/#for-a-project)
+2. any [GitLab CI variable](https://docs.gitlab.com/ci/variables/predefined_variables/)
+3. any [custom variable](https://docs.gitlab.com/ci/variables/#for-a-project)
     (ex: `${SECRET_TOKEN}` that you have set in your project CI/CD variables)
 
-While your scripts may simply use any of those variables, your Kubernetes and Kustomize resources can use **variable substitution**
-with the syntax `${VARIABLE_NAME}`.
-Each of those patterns will be dynamically replaced in your resources by the template right before using it.
-
-You can prevent any line from being processed by appending `# nosubst` at the end of the line.
-For instance in the following example, `${REMOTE_SERVICE_NAME}` won't be replaced by its environment value during GitLab job execution:
-
-```yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    app: ${APPLICATION_NAME}
-  name: ${APPLICATION_NAME}
-data:
-  application.yml: |
-    remote:
-      some-service:
-          name: '${REMOTE_SERVICE_NAME}' # nosubst
-```
-
-> :warning: In order to be properly replaced, curly braces are mandatory (ex: `${MYVAR}` and not `$MYVAR`).
-> Moreover, multiline variables must be surrounded by **double quotes** (`"`).
->
-> Example:
->
-> ```yaml
-> [...]
-> containers:
-> - name: restaurant-app
->   env:
->   # multiline variable
->   - name: MENU
->     value: "${APP_MENU}"
-> ```
+#### Variables substitution mechanism
+
+While your scripts may freely use any of the available variables, your Kubernetes and Kustomize
+resources can use a **variables substitution** mechanism implemented by the template:
+
+- Using the syntax `${VARIABLE_NAME}` or `%{VARIABLE_NAME}`.\
+  :warning: Curly braces (`{}`) are mandatory in the expression (`$VARIABLE_NAME` won't be processed).
+- Each of those expressions will be **dynamically expanded** in your resource files with the variable value, right before being used.
+- Variable substitution expressions **must be contained in double-quoted strings**.
+  The substitution implementation takes care of escaping characters that need to be (double quote `"`, backslash `\`, tab `\t`, carriage return `\n` and line feed `\r`).
+- Variable substitution can be prevented by appending `# nosubst` at the end of any line.\
+  Ex:
+  ```yaml
+  apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    # ${environment_name} will be expanded
+    labels:
+      app: "${environment_name}"
+    name: "${environment_name}"
+  data:
+    application.yml: |
+      remote:
+        some-service:
+            name: '${REMOTE_SERVICE_NAME}' # nosubst
+  ```
 
 ### Environments URL management
 
 The K8S template supports two ways of providing your environments url:
 
 * a **static way**: when the environments url can be determined in advance, probably because you're exposing your routes through a DNS you manage,
-* a [**dynamic way**](https://docs.gitlab.com/ee/ci/environments/#set-a-dynamic-environment-url): when the url cannot be known before the
+* a [**dynamic way**](https://docs.gitlab.com/ci/environments/#set-a-dynamic-environment-url): when the url cannot be known before the
   deployment job is executed.
 
 The **static way** can be implemented simply by setting the appropriate configuration variable(s) depending on the environment (see environments configuration chapters):
@@ -352,7 +340,7 @@ the dynamically generated url. When detected by the template, it will use it as
 
 ### Deployment output variables
 
-Each deployment job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsdotenv)):
+Each deployment job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ci/yaml/artifacts_reports/#artifactsreportsdotenv)):
 
 * `$environment_type`: set to the type of environment (`review`, `integration`, `staging` or `production`),
 * `$environment_name`: the application name (see below),
@@ -368,12 +356,12 @@ You may also add and propagate your own custom variables, by pushing them to the
 
 Here are some advices about your **secrets** (variables marked with a :lock:):
 
-1. Manage them as [project or group CI/CD variables](https://docs.gitlab.com/ee/ci/variables/#for-a-project):
-    * [**masked**](https://docs.gitlab.com/ee/ci/variables/#mask-a-cicd-variable) to prevent them from being inadvertently
+1. Manage them as [project or group CI/CD variables](https://docs.gitlab.com/ci/variables/#for-a-project):
+    * [**masked**](https://docs.gitlab.com/ci/variables/#mask-a-cicd-variable) to prevent them from being inadvertently
       displayed in your job logs,
-    * [**protected**](https://docs.gitlab.com/ee/ci/variables/#protected-cicd-variables) if you want to secure some secrets
+    * [**protected**](https://docs.gitlab.com/ci/variables/#protected-cicd-variables) if you want to secure some secrets
       you don't want everyone in the project to have access to (for instance production secrets).
-2. In case a secret contains [characters that prevent it from being masked](https://docs.gitlab.com/ee/ci/variables/#mask-a-cicd-variable),
+2. In case a secret contains [characters that prevent it from being masked](https://docs.gitlab.com/ci/variables/#mask-a-cicd-variable),
   simply define its value as the [Base64](https://en.wikipedia.org/wiki/Base64) encoded value prefixed with `@b64@`:
   it will then be possible to mask it and the template will automatically decode it prior to using it.
 3. Don't forget to escape special characters (ex: `$` -> `$$`).
@@ -384,10 +372,10 @@ The Kubernetes template uses some global configuration used throughout all jobs.
 
 | Input / Variable | Description                                                                                                                                                             | Default value                                                                                          |
 | --------------------- | -------------------------------------- | ----------------- |
-| `kubectl-image` / `K8S_KUBECTL_IMAGE` | the Docker image used to run Kubernetes `kubectl` commands <br/>:warning: **set the version required by your Kubernetes server**                                        | `registry.hub.docker.com/bitnami/kubectl:latest`                                                       |
-| `base-app-name` / `K8S_BASE_APP_NAME` | Default application name                                                                                                                                                | `$CI_PROJECT_NAME` ([see GitLab doc](https://docs.gitlab.com/ee/ci/variables/predefined_variables.html)) |
+| `kubectl-image` / `K8S_KUBECTL_IMAGE` | the Docker image used to run Kubernetes `kubectl` commands <br/>:warning: **set the version required by your Kubernetes server**                                        | `registry.hub.docker.com/bitnami/kubectl:latest`                                                       <br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-K8S_KUBECTL_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-K8S_KUBECTL_IMAGE) |
+| `base-app-name` / `K8S_BASE_APP_NAME` | Default application name                                                                                                                                                | `$CI_PROJECT_NAME` ([see GitLab doc](https://docs.gitlab.com/ci/variables/predefined_variables/)) |
 | `environment-url` / `K8S_ENVIRONMENT_URL`    | Default environments url _(only define for static environment URLs declaration)_<br/>_supports late variable expansion (ex: `https://%{environment_name}.k8s.acme.com`)_ | _none_                                                                                                 |
-| `KUBE_CONTEXT`      | Defines the context to be used in `KUBECONFIG`. When using [GitLab agents with the CI/CD workflow](https://docs.gitlab.com/ee/user/clusters/agent/ci_cd_workflow.html), the value should be like `path/to/agent/project:agent-name`. To use different agents per environment, define an [environment-scoped CI/CD variable](https://docs.gitlab.com/ee/ci/environments/index.html#limit-the-environment-scope-of-a-cicd-variable) for each agent. | _none_ |
+| `KUBE_CONTEXT`      | Defines the context to be used in `KUBECONFIG`. When using [GitLab agents with the CI/CD workflow](https://docs.gitlab.com/user/clusters/agent/ci_cd_workflow/), the value should be like `path/to/agent/project:agent-name`. To use different agents per environment, define an [environment-scoped CI/CD variable](https://docs.gitlab.com/ci/environments/#limit-the-environment-scope-of-a-cicd-variable) for each agent. | _none_ |
 | :lock: `K8S_DEFAULT_KUBE_CONFIG`| The default kubeconfig to use (either content or file variable)                                                                                                         | **required if not using exploded kubeconfig parameters**                                               |
 | `url` / `K8S_URL` | the Kubernetes API url                                                                                                                                                  | **required if using exploded kubeconfig parameters**                                                   |
 | :lock: `K8S_CA_CERT`          | the default Kubernetes server certificate authority                                                                                                                     | **optional if using exploded kubeconfig parameters**                                                   |
@@ -488,7 +476,7 @@ Here are its parameters:
 
 | Input / Variable | Description                                                          | Default value     |
 | ---------------------- | -------------------------------------------------------------------- | ----------------- |
-| `kube-score-image` / `K8S_KUBE_SCORE_IMAGE` | Docker image to run [kube-score](https://github.com/zegl/kube-score) | `registry.hub.docker.com/zegl/kube-score:latest` **it is recommended to set a tool version compatible with your Kubernetes cluster** |
+| `kube-score-image` / `K8S_KUBE_SCORE_IMAGE` | Docker image to run [kube-score](https://github.com/zegl/kube-score) | `registry.hub.docker.com/zegl/kube-score:latest` **it is recommended to set a tool version compatible with your Kubernetes cluster** <br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-K8S_KUBE_SCORE_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-K8S_KUBE_SCORE_IMAGE) |
 | `score-disabled` / `K8S_SCORE_DISABLED` | Set to `true` to disable the `kube-score` analysis                             | _none_ (enabled) |
 | `score-extra-opts` / `K8S_SCORE_EXTRA_OPTS` | [Additional options](https://github.com/zegl/kube-score#configuration) to `kube-score` command line | _none_ |
 | `k8s-score-job-tags` / `K8S_SCORE_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]`            |
@@ -519,7 +507,7 @@ In order to be able to communicate with the Vault server, the variant requires t
 | :lock: `VAULT_ROLE_ID`   | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | _none_ |
 | :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | _none_ |
 
-By default, the variant will authentifacte using a [JWT ID token](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html). To use [AppRole](https://www.vaultproject.io/docs/auth/approle) instead the `VAULT_ROLE_ID` and `VAULT_SECRET_ID` should be defined as secret project variables.
+By default, the variant will authentifacte using a [JWT ID token](https://docs.gitlab.com/ci/secrets/id_token_authentication/). To use [AppRole](https://www.vaultproject.io/docs/auth/approle) instead the `VAULT_ROLE_ID` and `VAULT_SECRET_ID` should be defined as secret project variables.
 
 #### Usage
 
@@ -541,12 +529,12 @@ With:
 ```yaml
 include:
   # main template
-  - component: $CI_SERVER_FQDN/to-be-continuous/kubernetes/gitlab-ci-k8s@6.5.0
+  - component: $CI_SERVER_FQDN/to-be-continuous/kubernetes/gitlab-ci-k8s@7.3.1
     inputs:
       # ⚠ oc-container image (includes required curl)
       kubectl-image: registry.hub.docker.com/docker.io/appuio/oc:v4.14
   # Vault variant
-  - component: $CI_SERVER_FQDN/to-be-continuous/kubernetes/gitlab-ci-k8s-vault@6.5.0
+  - component: $CI_SERVER_FQDN/to-be-continuous/kubernetes/gitlab-ci-k8s-vault@7.3.1
     inputs:
       # audience claim for JWT
       vault-oidc-aud: "https://vault.acme.host"
@@ -578,7 +566,7 @@ This [blog post about OIDC impersonation through Workload Identify Federation][g
 [gcp-adc]: https://cloud.google.com/docs/authentication/client-libraries
 [gcp-provider]: https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#running-terraform-outside-of-google-cloud
 [gcp-iam-principals]: https://cloud.google.com/iam/docs/principal-identifiers
-[gcp-gitlab-wif]: https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/
+[gcp-gitlab-wif]: https://docs.gitlab.com/ci/cloud_services/google_cloud/
 [gcp-wif-example]: https://blog.salrashid.dev/articles/2021/understanding_workload_identity_federation/#oidc-impersonated
 
 #### Configuration
@@ -588,15 +576,15 @@ The variant requires the additional configuration parameters:
 | Input / Variable  | Description                            | Default value     |
 | ----------------- | -------------------------------------- | ----------------- |
 | `gcp-oidc-aud` / `GCP_OIDC_AUD` | The `aud` claim for the JWT token      | `$CI_SERVER_URL` |
-| `gcp-oidc-provider` / `GCP_OIDC_PROVIDER` | Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) | _none_ |
+| `gcp-oidc-provider` / `GCP_OIDC_PROVIDER` | Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) | _none_ |
 | `gcp-oidc-account` / `GCP_OIDC_ACCOUNT` | Default Service Account to which impersonate with OpenID Connect authentication | _none_ |
-| `gcp-review-oidc-provider` / `GCP_REVIEW_OIDC_PROVIDER` | Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `review` environment _(only define to override default)_ | _none_ |
+| `gcp-review-oidc-provider` / `GCP_REVIEW_OIDC_PROVIDER` | Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) on `review` environment _(only define to override default)_ | _none_ |
 | `gcp-review-oidc-account` / `GCP_REVIEW_OIDC_ACCOUNT` | Service Account to which impersonate with OpenID Connect authentication on `review` environment _(only define to override default)_ | _none_ |
-| `gcp-integ-oidc-provider` / `GCP_INTEG_OIDC_PROVIDER` | Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `integration` environment _(only define to override default)_ | _none_ |
+| `gcp-integ-oidc-provider` / `GCP_INTEG_OIDC_PROVIDER` | Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) on `integration` environment _(only define to override default)_ | _none_ |
 | `gcp-integ-oidc-account` / `GCP_INTEG_OIDC_ACCOUNT` | Service Account to which impersonate with OpenID Connect authentication on `integration` environment _(only define to override default)_ | _none_ |
-| `gcp-staging-oidc-provider` / `GCP_STAGING_OIDC_PROVIDER` | Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `staging` environment _(only define to override default)_ | _none_ |
+| `gcp-staging-oidc-provider` / `GCP_STAGING_OIDC_PROVIDER` | Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) on `staging` environment _(only define to override default)_ | _none_ |
 | `gcp-staging-oidc-account` / `GCP_STAGING_OIDC_ACCOUNT` | Service Account to which impersonate with OpenID Connect authentication on `staging` environment _(only define to override default)_ | _none_ |
-| `gcp-prod-oidc-provider` / `GCP_PROD_OIDC_PROVIDER` | Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `production` environment _(only define to override default)_ | _none_ |
+| `gcp-prod-oidc-provider` / `GCP_PROD_OIDC_PROVIDER` | Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) on `production` environment _(only define to override default)_ | _none_ |
 | `gcp-prod-oidc-account` / `GCP_PROD_OIDC_ACCOUNT` | Service Account to which impersonate with OpenID Connect authentication on `production` environment _(only define to override default)_ | _none_ |
 | `kubectl-image` / `K8S_KUBECTL_IMAGE` | The Docker image used to run Kubernetes `kubectl` commands on [GKE](https://cloud.google.com/kubernetes-engine/docs) | `gcr.io/google.com/cloudsdktool/cloud-sdk:latest` |
 
@@ -607,9 +595,9 @@ With a common default `GCP_OIDC_PROVIDER` and `GCP_OIDC_ACCOUNT` configuration f
 ```yaml
 include:
   # main template
-  - component: $CI_SERVER_FQDN/to-be-continuous/kubernetes/gitlab-ci-k8s@6.5.0
+  - component: $CI_SERVER_FQDN/to-be-continuous/kubernetes/gitlab-ci-k8s@7.3.1
   # Google Cloud variant
-  - component: $CI_SERVER_FQDN/to-be-continuous/kubernetes/gitlab-ci-k8ss-gcp@6.5.0
+  - component: $CI_SERVER_FQDN/to-be-continuous/kubernetes/gitlab-ci-k8ss-gcp@7.3.1
     inputs:
       # common OIDC config for non-prod envs
       gcp-oidc-provider: "projects/<gcp_nonprod_proj_id>/locations/global/workloadIdentityPools/<pool_id>/providers/<provider_id>"
@@ -618,3 +606,46 @@ include:
       gcp-prod-oidc-provider: "projects/<gcp_prod_proj_id>/locations/global/workloadIdentityPools/<pool_id>/providers/<provider_id>"
       gcp-prod-oidc-account: "<name>@$<gcp_prod_proj_id>.iam.gserviceaccount.com"
 ```
+
+### Amazon Web service variant
+
+This variant use the OIDC and [AWS STS](https://docs.aws.amazon.com/fr_fr/STS/latest/APIReference/welcome.html) in AWS to get credential
+
+#### Prerequesite
+
+- [Create an OpenID Connect (OIDC) identity provider in IAM
+  ](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html)
+- [Configure a web identity role](https://docs.gitlab.com/ci/cloud_services/aws/#configure-a-role-and-trust)
+
+#### Configuration
+
+The  image from alpine `k8s` is required for the use of aws-iam-authenticator.
+  
+The variant requires the additional configuration parameters :
+
+| Input / Variable                                          | Description                                                                                                                                                                            | Default value    |
+|-----------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------|
+| `aws-oidc-aud` / `AWS_OIDC_AUD`                           | The `aud` claim for the JWT token                                                                                                                                                      | `$CI_SERVER_URL` |
+| `aws-oidc-role-arn` / `AWS_OIDC_ROLE_ARN`                 | Default IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/aws/)                                                  | _none_           |
+| `aws-review-oidc-role-arn` / `AWS_REVIEW_OIDC_ROLE_ARN`   | IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/aws/) on `review` env _(only define to override default)_      | _none_           |
+| `aws-integ-oidc-role-arn` / `AWS_INTEG_OIDC_ROLE_ARN`     | IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/aws/) on `integration` env _(only define to override default)_ | _none_           |
+| `aws-staging-oidc-role-arn` / `AWS_STAGING_OIDC_ROLE_ARN` | IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/aws/) on `staging` env _(only define to override default)_     | _none_           |
+| `aws-prod-oidc-role-arn` / `AWS_PROD_OIDC_ROLE_ARN`       | IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/aws/) on `production` env _(only define to override default)_  | _none_           |
+| `kubectl-image` / `K8S_KUBECTL_IMAGE`                     | The Docker image used to run Kubernetes `kubectl` commands on [AWS]                                                                                                                    | `docker.io/alpine/k8s:1.32.1` |
+
+#### Example
+
+With a common default `AWS_OIDC_ROLE_ARN`  configuration for non-prod environments, and a specific one for production:
+
+```yaml
+include:
+  # main template
+  - component: $CI_SERVER_FQDN/to-be-continuous/kubernetes/gitlab-ci-k8s@7.3.1
+  # AWS variant
+  - component: $CI_SERVER_FQDN/to-be-continuous/kubernetes/gitlab-ci-k8s-aws@7.3.1
+    inputs:
+      # common OIDC config for non-prod envs
+      aws-oidc-role-arn: "arn:aws:iam::<project_id>:role/<role_name>"
+      # specific OIDC config for prod
+      aws-prod-oidc-role-arn: "arn:aws:iam::<project_id>:role/<role_name>"
+```
\ No newline at end of file
diff --git a/kicker.json b/kicker.json
index 5bcf83cb5ae9e253c65175f8fc6960c3df245211..4a4ad90adef15a527f0384dd515b3f20c46fee0f 100644
--- a/kicker.json
+++ b/kicker.json
@@ -95,7 +95,7 @@
     {
       "id": "review",
       "name": "Review",
-      "description": "Dynamic review environments for your topic branches (see GitLab [Review Apps](https://docs.gitlab.com/ee/ci/review_apps/))",
+      "description": "Dynamic review environments for your topic branches (see GitLab [Review Apps](https://docs.gitlab.com/ci/review_apps/))",
       "variables": [
         {
           "name": "K8S_REVIEW_SPACE",
@@ -360,7 +360,7 @@
       "variables": [
         {
           "name": "GCP_OIDC_AUD",
-          "description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_",
+          "description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/aws/))_",
           "default": "$CI_SERVER_URL",
           "advanced": true
         },
@@ -370,7 +370,7 @@
         },
         {
           "name": "GCP_OIDC_PROVIDER",
-          "description": "Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/)"
+          "description": "Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/)"
         },
         {
           "name": "GCP_REVIEW_OIDC_ACCOUNT",
@@ -379,7 +379,7 @@
         },
         {
           "name": "GCP_REVIEW_OIDC_PROVIDER",
-          "description": "Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `review` environment",
+          "description": "Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) on `review` environment",
           "advanced": true
         },
         {
@@ -389,7 +389,7 @@
         },
         {
           "name": "GCP_INTEG_OIDC_PROVIDER",
-          "description": "Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `integration` environment",
+          "description": "Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) on `integration` environment",
           "advanced": true
         },
         {
@@ -399,7 +399,7 @@
         },
         {
           "name": "GCP_STAGING_OIDC_PROVIDER",
-          "description": "Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `staging` environment",
+          "description": "Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) on `staging` environment",
           "advanced": true
         },
         {
@@ -409,7 +409,7 @@
         },
         {
           "name": "GCP_PROD_OIDC_PROVIDER",
-          "description": "Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `production` environment",
+          "description": "Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) on `production` environment",
           "advanced": true
         },
         {
@@ -418,6 +418,50 @@
           "default": "gcr.io/google.com/cloudsdktool/cloud-sdk:latest"
         }
       ]
+    },
+    {
+      "id": "aws-auth-provider",
+      "name": "Amazon Web service",
+      "description": "This variant uses [OpenID Connect in AWS] to retrieve temporary credentials.",
+      "template_path": "templates/gitlab-ci-k8s-aws.yml",
+      "variables": [
+        {
+          "name": "AWS_OIDC_AUD",
+          "description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/aws/))_",
+          "default": "$CI_SERVER_URL",
+          "advanced": true
+        },
+        {
+          "name": "AWS_OIDC_ROLE_ARN",
+          "description": "The default role ARN configured",
+          "advanced": true
+        },
+        {
+          "name": "AWS_REVIEW_OIDC_ROLE_ARN",
+          "description": "The role ARN configured for `review` environment",
+          "advanced": true
+        },
+        {
+          "name": "AWS_INTEG_OIDC_ROLE_ARN",
+          "description": "The role ARN configured for `integration` environment",
+          "advanced": true
+        },
+        {
+          "name": "AWS_STAGING_OIDC_ROLE_ARN",
+          "description": "The role ARN configured for `staging` environment",
+          "advanced": true
+        },
+        {
+          "name": "AWS_PROD_OIDC_ROLE_ARN",
+          "description": "The role ARN configured for `production` environment",
+          "advanced": true
+        },
+        {
+          "name": "K8S_KUBECTL_IMAGE",
+          "description": "The Docker image used to run Kubernetes `kubectl` commands on [AWS]",
+          "default": "docker.io/alpine/k8s:1.32.1"
+        }
+      ]
     }
   ]
 }
diff --git a/templates/gitlab-ci-k8s-aws.yml b/templates/gitlab-ci-k8s-aws.yml
new file mode 100644
index 0000000000000000000000000000000000000000..bd1637295ced41cc2079e999dcddc2abd6d51e9a
--- /dev/null
+++ b/templates/gitlab-ci-k8s-aws.yml
@@ -0,0 +1,82 @@
+# =====================================================================================================================
+# === Amazon Web Service template variant
+# =====================================================================================================================
+spec:
+  inputs:
+    kubectl-image:
+      description: The Docker image used to run Kubernetes `kubectl` commands on [AWS]
+      default: docker.io/alpine/k8s:1.32.1
+    aws-oidc-aud:
+      description: The `aud` claim for the JWT
+      default: $CI_SERVER_URL
+    aws-oidc-role-arn:
+      description: Default IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/aws/)
+      default: ''
+    aws-review-oidc-role-arn:
+      description: IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/aws/) on `review` env _(only define to override default)_
+      default: ''
+    aws-integ-oidc-role-arn:
+      description: IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/aws/) on `integration` env _(only define to override default)_
+      default: ''
+    aws-staging-oidc-role-arn:
+      description: IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/aws/) on `staging` env _(only define to override default)_
+      default: ''
+    aws-prod-oidc-role-arn:
+      description: IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/aws/) on `production` env _(only define to override default)_
+      default: ''
+
+---
+variables:
+  AWS_OIDC_AUD: $[[ inputs.aws-oidc-aud ]]
+  AWS_OIDC_ROLE_ARN: $[[ inputs.aws-oidc-role-arn ]]
+  AWS_REVIEW_OIDC_ROLE_ARN: $[[ inputs.aws-review-oidc-role-arn ]]
+  AWS_STAGING_OIDC_ROLE_ARN: $[[ inputs.aws-staging-oidc-role-arn ]]
+  AWS_INTEG_OIDC_ROLE_ARN: $[[ inputs.aws-integ-oidc-role-arn ]]
+  AWS_PROD_OIDC_ROLE_ARN: $[[ inputs.aws-prod-oidc-role-arn ]]
+
+  K8S_KUBECTL_IMAGE: $[[ inputs.kubectl-image ]]
+
+.k8s-aws-sts:
+  # init Assume Role with Web Identity Configuration
+  # see: https://registry.terraform.io/providers/hashicorp/aws/latest/docs#assume-role-with-web-identity-configuration-reference
+  - echo "Installing AWS authentication"
+  - |
+    if [[ "$ENV_TYPE" ]]
+    then
+      case "$ENV_TYPE" in
+      review*)
+        env_prefix=REVIEW;;
+      integ*)
+        env_prefix=INTEG;;
+      staging*)
+        env_prefix=STAGING;;
+      prod*)
+        env_prefix=PROD;;
+      esac
+      log_info "Configuring Assume Role with Web Identity for AWS provider..."
+      export AWS_WEB_IDENTITY_TOKEN_FILE=/tmp/web_identity_token
+      echo "${AWS_JWT}" > "$AWS_WEB_IDENTITY_TOKEN_FILE"
+      env_role_arn=$(eval echo "\$AWS_${env_prefix}_OIDC_ROLE_ARN")
+      export AWS_ROLE_ARN="${env_role_arn:-$AWS_OIDC_ROLE_ARN}"
+      export AWS_ROLE_SESSION_NAME="GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}"
+    fi
+
+.k8s-deploy:
+  id_tokens:
+    AWS_JWT:
+      aud: "$AWS_OIDC_AUD"
+  before_script:
+    - !reference [.k8s-scripts]
+    - !reference [.k8s-aws-sts]
+    - install_ca_certs "${CUSTOM_CA_CERTS:-$DEFAULT_CA_CERTS}"
+    - k8s_login
+
+.k8s-cleanup: 
+  id_tokens:
+    AWS_JWT:
+      aud: "$AWS_OIDC_AUD"
+  before_script:
+    - !reference [.k8s-scripts]
+    - !reference [.k8s-aws-sts]
+    - install_ca_certs "${CUSTOM_CA_CERTS:-$DEFAULT_CA_CERTS}"
+    - k8s_login
\ No newline at end of file
diff --git a/templates/gitlab-ci-k8s-gcp.yml b/templates/gitlab-ci-k8s-gcp.yml
index 5bed69f219b0e192e18721b893345d4ef214e302..6f76ad039a12dde2bbd3706526147feab7885af3 100644
--- a/templates/gitlab-ci-k8s-gcp.yml
+++ b/templates/gitlab-ci-k8s-gcp.yml
@@ -13,31 +13,31 @@ spec:
       description: Default Service Account to which impersonate with OpenID Connect authentication
       default: ''
     gcp-oidc-provider:
-      description: Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/)
+      description: Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/)
       default: ''
     gcp-review-oidc-account:
       description: Service Account to which impersonate with OpenID Connect authentication on `review` environment
       default: ''
     gcp-review-oidc-provider:
-      description: Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `review` environment
+      description: Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) on `review` environment
       default: ''
     gcp-integ-oidc-account:
       description: Service Account to which impersonate with OpenID Connect authentication on `integration` environment
       default: ''
     gcp-integ-oidc-provider:
-      description: Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `integration` environment
+      description: Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) on `integration` environment
       default: ''
     gcp-staging-oidc-account:
       description: Service Account to which impersonate with OpenID Connect authentication on `staging` environment
       default: ''
     gcp-staging-oidc-provider:
-      description: Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `staging` environment
+      description: Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) on `staging` environment
       default: ''
     gcp-prod-oidc-account:
       description: Service Account to which impersonate with OpenID Connect authentication on `production` environment
       default: ''
     gcp-prod-oidc-provider:
-      description: Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `production` environment
+      description: Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) on `production` environment
       default: ''
 ---
 variables:
@@ -56,11 +56,12 @@ variables:
   
   K8S_KUBECTL_IMAGE: $[[ inputs.kubectl-image ]]
 
-.gcp-provider-auth:
-  before_script:
-    - echo "Installing GCP authentication with env GOOGLE_APPLICATION_CREDENTIALS file"
-    - echo $GCP_JWT > "$CI_BUILDS_DIR/.auth_token.jwt"
-    - |-
+.k8s-gcp-adc:
+  - |
+    if [[ "$GCP_JWT" ]]
+    then
+      echo "Installing GCP authentication with env GOOGLE_APPLICATION_CREDENTIALS file"
+      echo $GCP_JWT > "$CI_BUILDS_DIR/.auth_token.jwt"
       if [[ "$ENV_TYPE" ]]
       then
         case "$ENV_TYPE" in
@@ -80,7 +81,6 @@ variables:
       fi
       oidc_provider="${env_oidc_provider:-$GCP_OIDC_PROVIDER}"
       oidc_account="${env_oidc_account:-$GCP_OIDC_ACCOUNT}"
-    - |-
       cat << EOF > "$CI_BUILDS_DIR/google_application_credentials.json"
       {
         "type": "external_account",
@@ -92,8 +92,11 @@ variables:
         },
         "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${oidc_account}:generateAccessToken"
       }
-      EOF
-    - export GOOGLE_APPLICATION_CREDENTIALS="$CI_BUILDS_DIR/google_application_credentials.json"
+    EOF
+      export GOOGLE_APPLICATION_CREDENTIALS="$CI_BUILDS_DIR/google_application_credentials.json"
+    else
+      echo '[WARN] $GCP_JWT is not set: cannot setup Application Default Credentials (ADC) authentication'
+    fi
 
 .k8s-deploy:
   id_tokens:
@@ -101,7 +104,7 @@ variables:
       aud: "$GCP_OIDC_AUD"
   before_script:
     - !reference [.k8s-scripts]
-    - !reference [.gcp-provider-auth, before_script]
+    - !reference [.k8s-gcp-adc]
     - install_ca_certs "${CUSTOM_CA_CERTS:-$DEFAULT_CA_CERTS}"
     - k8s_login
 
@@ -111,6 +114,6 @@ variables:
       aud: "$GCP_OIDC_AUD"
   before_script:
     - !reference [.k8s-scripts]
-    - !reference [.gcp-provider-auth, before_script]    
+    - !reference [.k8s-gcp-adc]
     - install_ca_certs "${CUSTOM_CA_CERTS:-$DEFAULT_CA_CERTS}"
     - k8s_login
\ No newline at end of file
diff --git a/templates/gitlab-ci-k8s-vault.yml b/templates/gitlab-ci-k8s-vault.yml
index 7f467ca1b98cd8f16749c3f82a4359a4da45bfc9..24082753df2bfa4eae2e4fe78d09e462b7368b79 100644
--- a/templates/gitlab-ci-k8s-vault.yml
+++ b/templates/gitlab-ci-k8s-vault.yml
@@ -22,7 +22,7 @@ variables:
 .k8s-base:
   services:
     - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "--port", "8082", "kubernetes", "6.5.0"]
+      command: ["--service", "--port", "8082", "kubernetes", "7.3.1"]
     - name: "$TBC_VAULT_IMAGE"
       alias: "vault-secrets-provider"
   variables:
diff --git a/templates/gitlab-ci-k8s.yml b/templates/gitlab-ci-k8s.yml
index bc2412b1eb89b9f328a6612dbfa7f44a92a7cb20..ecf41aedaa7dd6fb2fa9517a0f9a0795f9df37a1 100644
--- a/templates/gitlab-ci-k8s.yml
+++ b/templates/gitlab-ci-k8s.yml
@@ -444,9 +444,82 @@ stages:
     echo "$1" | tr '[:lower:]' '[:upper:]' | tr '[:punct:]' '_'
   }
 
-  function awkenvsubst() {
-    # performs variables escaping: '&' for gsub + JSON chars ('\' and '"')
-    awk '!/# *nosubst/{while(match($0,"[$%]{[^}]*}")) {var=substr($0,RSTART+2,RLENGTH-3);val=ENVIRON[var];gsub(/["\\&]/,"\\\\&",val);gsub("[$%]{"var"}",val)}}1'
+  function tbc_envsubst() {
+    awk '
+      BEGIN {
+        count_replaced_lines = 0
+        # ASCII codes
+        for (i=0; i<=255; i++)
+          char2code[sprintf("%c", i)] = i
+      }
+      # determine encoding (from env or from file extension)
+      function encoding() {
+        enc = ENVIRON["TBC_ENVSUBST_ENCODING"]
+        if (enc != "")
+          return enc
+        if (match(FILENAME, /\.(json|yaml|yml)$/))
+          return "jsonstr"
+        return "raw"
+      }
+      # see: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURIComponent
+      function uriencode(str) {
+        len = length(str)
+        enc = ""
+        for (i=1; i<=len; i++) {
+          c = substr(str, i, 1);
+          if (index("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.!~*'\''()", c))
+            enc = enc c
+          else
+            enc = enc "%" sprintf("%02X", char2code[c])
+        }
+        return enc
+      }
+      /# *nosubst/ {
+        print $0
+        next
+      }
+      {
+        orig_line = $0
+        line = $0
+        count_repl_in_line = 0
+        # /!\ 3rd arg (match) not supported in BusyBox awk
+        while (match(line, /[$%]\{([[:alnum:]_]+)\}/)) {
+          expr_start = RSTART
+          expr_len = RLENGTH
+          # get var name
+          var = substr(line, expr_start+2, expr_len-3)
+          # get var value (from env)
+          val = ENVIRON[var]
+          # check variable is set
+          if (val == "") {
+            printf("[\033[1;93mWARN\033[0m] Environment variable \033[33;1m%s\033[0m is not set or empty\n", var) > "/dev/stderr"
+          } else {
+            enc = encoding()
+            if (enc == "jsonstr") {
+              gsub(/["\\]/, "\\\\&", val)
+              gsub("\n", "\\n", val)
+              gsub("\r", "\\r", val)
+              gsub("\t", "\\t", val)
+            } else if (enc == "uricomp") {
+              val = uriencode(val)
+            } else if (enc == "raw") {
+            } else {
+              printf("[\033[1;93mWARN\033[0m] Unsupported encoding \033[33;1m%s\033[0m: ignored\n", enc) > "/dev/stderr"
+            }
+          }
+          # replace expression in line
+          line = substr(line, 1, expr_start - 1) val substr(line, expr_start + expr_len)
+          count_repl_in_line++
+        }
+        if (count_repl_in_line) {
+          if (count_replaced_lines == 0)
+            printf("[\033[1;94mINFO\033[0m] Variable expansion occurred in file \033[33;1m%s\033[0m:\n", FILENAME) > "/dev/stderr"
+          count_replaced_lines++
+          printf("> line %s: %s\n", NR, orig_line) > "/dev/stderr"
+        }
+        print line
+      }
+    ' "$@"
   }
 
   function exec_hook() {
@@ -549,10 +622,16 @@ stages:
       fi
       deploymentdir=$(dirname "$kustofile")
 
+      # variables substitution
+      tbc_envsubst "$kustofile" > generated-kustomization.yml
+      # overwrite kustomization file with substitued variables
+      mv generated-kustomization.yml "$kustofile"
+
       # apply/delete deployment descriptor
       log_info "--- \\e[32mkustomize\\e[0m"
       # shellcheck disable=SC2086
-      kubectl kustomize "$deploymentdir" ${K8S_KUSTOMIZE_ARGS}  > ./generated-deployment.yml
+      kubectl kustomize "$deploymentdir" ${K8S_KUSTOMIZE_ARGS}  > generated-deployment.yml
+
       log_info "--- \\e[32mkubectl $action\\e[0m"
       kubectl ${TRACE+-v=5} "$action" -f ./generated-deployment.yml
     else
@@ -564,8 +643,8 @@ stages:
         exit 1
       fi
 
-      # replace variables (alternative for envsubst which is not present in image)
-      awkenvsubst < "$deploymentfile" > generated-deployment.yml
+      # variables substitution
+      tbc_envsubst "$deploymentfile" > generated-deployment.yml
 
       log_info "--- \\e[32mkubectl $action\\e[0m"
       kubectl ${TRACE+-v=5} "$action" -f ./generated-deployment.yml
@@ -587,7 +666,7 @@ stages:
     export appname_ssc=$environment_name_ssc
 
     # variables expansion in $environment_url
-    environment_url=$(echo "$environment_url" | awkenvsubst)
+    environment_url=$(echo "$environment_url" | TBC_ENVSUBST_ENCODING=uricomp tbc_envsubst)
     export environment_url
     # extract hostname from $environment_url
     hostname=$(echo "$environment_url" | awk -F[/:] '{print $4}')
@@ -669,7 +748,7 @@ stages:
     export appname_ssc=$environment_name_ssc
 
     # variables expansion in $environment_url
-    environment_url=$(echo "$environment_url" | awkenvsubst)
+    environment_url=$(echo "$environment_url" | TBC_ENVSUBST_ENCODING=uricomp tbc_envsubst)
     export environment_url
     # extract hostname from $environment_url
     hostname=$(echo "$environment_url" | awk -F[/:] '{print $4}')
@@ -741,7 +820,7 @@ stages:
         log_info "--- \\e[32mpre-cleanup hook\\e[0m (\\e[33;1m${prescript}\\e[0m) not found: skip"
       fi
 
-      # has to be valuated for envsubst
+      # has to be valuated for tbc_envsubst
       export hostname=hostname
 
       do_kubectl delete
@@ -769,8 +848,18 @@ stages:
       fi
       deploymentdir=$(dirname "$kustofile")
 
+      # variables substitution
+      tbc_envsubst "$kustofile" > generated-kustomization.yml
+      # overwrite kustomization file with substitued variables
+      mv generated-kustomization.yml "$kustofile"
+
+      # apply/delete deployment descriptor
+      log_info "--- \\e[32mkustomize\\e[0m"
+      # shellcheck disable=SC2086
+      kustomize build ${K8S_KUSTOMIZE_ARGS} "$deploymentdir" > generated-deployment.yml
+
       # shellcheck disable=SC2086
-      kustomize build ${K8S_KUSTOMIZE_ARGS} "${deploymentdir}" | /usr/bin/kube-score score $K8S_SCORE_EXTRA_OPTS -
+      /usr/bin/kube-score score $K8S_SCORE_EXTRA_OPTS generated-deployment.yml
     else
       # find deployment file
       deploymentfile=$(ls -1 "$K8S_SCRIPTS_DIR/deployment-${environment_type}.yml" 2>/dev/null || ls -1 "$K8S_SCRIPTS_DIR/deployment.yml" 2>/dev/null || echo "")
@@ -780,8 +869,8 @@ stages:
         exit 1
       fi
 
-      # replace variables (alternative for envsubst which is not present in image)
-      awkenvsubst < "$deploymentfile" > generated-deployment.yml
+      # variables substitution
+      tbc_envsubst "$deploymentfile" > generated-deployment.yml
 
       # shellcheck disable=SC2086
       /usr/bin/kube-score score $K8S_SCORE_EXTRA_OPTS generated-deployment.yml
@@ -789,7 +878,7 @@ stages:
   }
 
   # export tool functions (might be used in after_script)
-  export -f log_info log_warn log_error assert_defined rollback awkenvsubst
+  export -f log_info log_warn log_error assert_defined rollback tbc_envsubst
 
   unscope_variables
   eval_all_secrets
@@ -802,7 +891,7 @@ stages:
     entrypoint: [""]
   services:
     - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "kubernetes", "6.5.0"]
+      command: ["--service", "kubernetes", "7.3.1"]
   before_script:
     - !reference [.k8s-scripts]
     - install_ca_certs "${CUSTOM_CA_CERTS:-$DEFAULT_CA_CERTS}"
@@ -876,7 +965,6 @@ k8s-score:
     name: "$ENV_TYPE env url for $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
     when: always
     paths:
-      - generated-deployment.yml
       - environment_url.txt
     reports:
       dotenv: kubernetes.env