diff --git a/.gitignore b/.gitignore
index cf409683..f46609e9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -16,5 +16,6 @@ sonic-vs.img
 files/certs/*.pem
 files/certs/**/*.pem
 files/certs/**/*.crt
+files/certs/**/*.pub
 .vscode
-vrnetlab
\ No newline at end of file
+vrnetlab
diff --git a/deploy_control_plane.yaml b/deploy_control_plane.yaml
index bd0f0241..db596be4 100644
--- a/deploy_control_plane.yaml
+++ b/deploy_control_plane.yaml
@@ -6,6 +6,8 @@
   roles:
     - name: ansible-common
       tags: always
+    - name: metal-ansible-modules
+      tags: always
     - name: ingress-controller
       tags: ingress-controller
     - name: metal-roles/control-plane/roles/prepare
@@ -29,6 +31,8 @@
       tags: valkey
     - name: metal-roles/control-plane/roles/zitadel
       tags: auth
+    - name: metal-roles/common/roles/metal-v2-client
+      tags: metal
     - name: metal-roles/control-plane/roles/metal
       tags: metal
     - name: metal-roles/control-plane/roles/logging
@@ -41,7 +45,7 @@
 - name: deploy gardener
   import_playbook: deploy_gardener.yaml
   when: gardener_enabled and not kamaji_enabled
-    
+
 - name: deploy kamaji
   import_playbook: deploy_kamaji.yaml
   when: kamaji_enabled and not gardener_enabled
diff --git a/files/certs/bmc-proxy/client.json b/files/certs/bmc-proxy/client.json
new file mode 100644
index 00000000..2ca23049
--- /dev/null
+++ b/files/certs/bmc-proxy/client.json
@@ -0,0 +1,17 @@
+{
+  "CN": "bmc-proxy-client",
+  "hosts": [""],
+  "key": {
+    "algo": "rsa",
+    "size": 4096
+  },
+  "names": [
+    {
+      "C": "DE",
+      "L": "Munich",
+      "O": "Metal-Stack",
+      "OU": "DevOps",
+      "ST": "Bavaria"
+    }
+  ]
+}
diff --git a/files/certs/bmc-proxy/server.json b/files/certs/bmc-proxy/server.json
new file mode 100644
index 00000000..69fc5ca5
--- /dev/null
+++ b/files/certs/bmc-proxy/server.json
@@ -0,0 +1,22 @@
+{
+  "CN": "metal-console",
+  "hosts": [
+    "localhost",
+    "metal-console",
+    "metal-console.svc",
+    "metal-console.svc.cluster.local"
+  ],
+  "key": {
+    "algo": "rsa",
+    "size": 4096
+  },
+  "names": [
+    {
+      "C": "DE",
+      "L": "Munich",
+      "O": "Metal-Stack",
+      "OU": "DevOps",
+      "ST": "Bavaria"
+    }
+  ]
+}
diff --git a/inventories/group_vars/all/release_vector.yaml b/inventories/group_vars/all/release_vector.yaml
index 539c80bd..ab8e2a7f 100644
--- a/inventories/group_vars/all/release_vector.yaml
+++ b/inventories/group_vars/all/release_vector.yaml
@@ -1,5 +1,5 @@
 ---
-metal_stack_release_version: develop
+metal_stack_release_version: separate-metal-console-helm-chart
 
 metal_stack_release_vectors:
   - url: oci://ghcr.io/metal-stack/releases:{{ metal_stack_release_version }}
@@ -22,7 +22,7 @@ metal_stack_release_vectors:
 # metal_masterdata_api_image_name:
 # metal_masterdata_api_image_tag:
 # metal_console_image_name:
-# metal_console_image_tag:
+metal_console_image_tag: pr-migrate-to-metal-apiserver-token-renewal
 # metal_core_image_name:
 # metal_core_image_tag:
 # headscale_image_tag:
@@ -40,7 +40,8 @@ metal_stack_release_vectors:
 ##
 
 # ansible_common_version:
-# metal_roles_version:
+metal_roles_version: migrate-to-metal-apiserver-token-renewal
+
 # metal_ansible_modules_version:
 
 ##
@@ -48,6 +49,11 @@ metal_stack_release_vectors:
 ##
 
 # metal_helm_chart_tag:
+metal_helm_chart_version: 0.8.3
+metal_helm_chart_tag: v0.8.3-pull-request.161
+metal_console_helm_chart_version: 0.1.0
+metal_console_helm_chart_tag: v0.1.0-pull-request.161
+
 # metal_helm_chart:
 # further overrides can be looked up in metal-roles where the mapping is defined:
 # https://github.com/metal-stack/metal-roles/blob/master/common/roles/defaults/defaults/main.yaml
diff --git a/inventories/group_vars/control_plane/metal.yml b/inventories/group_vars/control_plane/metal.yml
index b40a5a04..f8e636cf 100644
--- a/inventories/group_vars/control_plane/metal.yml
+++ b/inventories/group_vars/control_plane/metal.yml
@@ -156,7 +156,18 @@ metal_masterdata_api_projects:
     name: sample-project
     description: Sample project with static id
 
-metal_console_enabled: false
+metal_console_enabled: true
+metal_console_use_apiserver: true
+metal_console_token_renewal:
+  enabled: true
+metal_console_token_expiration: 15m
+
+metal_console_bmc_proxy_certs_ca_cert: "{{ lookup('file', 'certs/ca.pem') }}"
+metal_console_bmc_proxy_certs_server_cert: "{{ lookup('file', 'certs/bmc-proxy/server.pem') }}"
+metal_console_bmc_proxy_certs_server_key: "{{ lookup('file', 'certs/bmc-proxy/server-key.pem') }}"
+metal_console_bmc_proxy_certs_server_pub: "{{ lookup('file', 'certs/bmc-proxy/server-key.pub') }}"
+metal_console_bmc_proxy_certs_client_cert: "{{ lookup('file', 'certs/bmc-proxy/client.pem') }}"
+metal_console_bmc_proxy_certs_client_key: "{{ lookup('file', 'certs/bmc-proxy/client-key.pem') }}"
 
 metal_api_grpc_certs_server_key: "{{ lookup('file', 'certs/grpc/server-key.pem') }}"
 metal_api_grpc_certs_server_cert: "{{  lookup('file', 'certs/grpc/server.pem') }}"
diff --git a/scripts/roll_certs.sh b/scripts/roll_certs.sh
index 7fc34acd..378f4f74 100755
--- a/scripts/roll_certs.sh
+++ b/scripts/roll_certs.sh
@@ -37,3 +37,12 @@ cfssl gencert -ca=../ca.pem -ca-key=../ca-key.pem -config=../ca-config.json -pro
 cat client.pem client-key.pem > client.crt
 rm -f *.csr
 popd
+
+echo "generating bmc-proxy certs"
+
+pushd bmc-proxy
+cfssl gencert -ca=../ca.pem -ca-key=../ca-key.pem -config=../ca-config.json -profile=server server.json | cfssljson -bare server
+cfssl gencert -ca=../ca.pem -ca-key=../ca-key.pem -config=../ca-config.json -profile=client client.json | cfssljson -bare client
+rm *.csr
+ssh-keygen -y -f server-key.pem > server-key.pub
+popd