diff --git a/charts/zrok/Chart.yaml b/charts/zrok/Chart.yaml
index 3b3bd27e..5d1f8873 100644
--- a/charts/zrok/Chart.yaml
+++ b/charts/zrok/Chart.yaml
@@ -15,12 +15,12 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.0.0
+version: 1.0.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: 1.0.0
+appVersion: 1.0.4
 
 dependencies: []
diff --git a/charts/zrok/README.md b/charts/zrok/README.md
index f2f01a70..fe395a09 100644
--- a/charts/zrok/README.md
+++ b/charts/zrok/README.md
@@ -2,7 +2,7 @@
 
 # zrok
 
-![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square)
+![Version: 1.0.1](https://img.shields.io/badge/Version-1.0.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.4](https://img.shields.io/badge/AppVersion-1.0.4-informational?style=flat-square)
 
 Run the zrok controller and zrok frontend components as a K8s deployment
 
@@ -163,7 +163,6 @@ zrok   nginx   api.zrok.192.168.49.2.sslip.io    192.168.49.2   80      8m41s
 | controller.service.type | string | `"ClusterIP"` | The service type to use for the zrok controller |
 | controller.specVersion | int | `4` |  |
 | dnsZone | string | `"zrok.example.com"` | The DNS zone with a wildcard * A record to use for the zrok public frontend |
-| frontend.deBootstrapScript | string | `"delete-identity.sh"` |  |
 | frontend.extraConfig | object | `{}` | append additional frontend config |
 | frontend.homeDir | string | `"/var/lib/zrok"` | a read-only mountpoint for the frontend's Ziti identity is "homeDir" because zrok always looks in $HOME/.zrok/identities |
 | frontend.ingress.annotations | object | `{}` | The annotations to use for the frontend's ingress resource |
diff --git a/charts/zrok/templates/controller-deployment.yaml b/charts/zrok/templates/controller-deployment.yaml
index e3233953..573fd63e 100644
--- a/charts/zrok/templates/controller-deployment.yaml
+++ b/charts/zrok/templates/controller-deployment.yaml
@@ -39,7 +39,7 @@ spec:
             - name: HOME
               value: {{ .Values.controller.persistence.mount_dir }}
           volumeMounts:
-            - name: zrok-config
+            - name: zrok-controller-config
               mountPath: /etc/zrok
               readOnly: true
             - name: bootstrap-ziti
@@ -72,7 +72,7 @@ spec:
             - name: HOME
               value: {{ .Values.controller.persistence.mount_dir }}
           volumeMounts:
-            - name: zrok-config
+            - name: zrok-controller-config
               mountPath: /etc/zrok
               readOnly: true
             - name: persistence
@@ -94,7 +94,7 @@ spec:
             {{- toYaml .Values.resources | nindent 12 }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
-        {{- toYaml . | nindent 8 }}z
+        {{- toYaml . | nindent 8 }}
       {{- end }}
       {{- with .Values.affinity }}
       affinity:
@@ -105,7 +105,7 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       volumes:
-        - name: zrok-config
+        - name: zrok-controller-config
           configMap:
             name: {{ include "zrok.fullname" . }}-config
             defaultMode: 0444
diff --git a/charts/zrok/templates/controller-secrets-configmap.yaml b/charts/zrok/templates/controller-secrets-configmap.yaml
index 5fab59cc..62f365eb 100644
--- a/charts/zrok/templates/controller-secrets-configmap.yaml
+++ b/charts/zrok/templates/controller-secrets-configmap.yaml
@@ -77,7 +77,10 @@ data:
         # set -o xtrace
 
         # uses mounted zrok config YAML
-        zrok admin bootstrap /etc/zrok/ctrl.yaml
+        zrok admin bootstrap /etc/zrok/ctrl.yaml || {
+            zrok admin unbootstrap /etc/zrok/ctrl.yaml
+            exit 1
+        }
 
         # granted permission to read secrets in namespace by SA managed by this chart
         if kubectl -n {{ .Release.Namespace }} get secret \
@@ -105,7 +108,7 @@ data:
 
         zrok enable --headless --description "{{ include "zrok.fullname" . }} test run" "${ZROK_ENABLE_TOKEN}"
 
-        zrok test canary public-proxy |& tee /tmp/test.out
+        ZROK_DANGEROUS_CANARY=1 zrok test canary public-proxy |& tee /tmp/test.out
 
         IGNORED_ERRORS='('
         IGNORED_ERRORS+='0 errors'
diff --git a/charts/zrok/templates/frontend-deployment.yaml b/charts/zrok/templates/frontend-deployment.yaml
index a6102036..219d5626 100644
--- a/charts/zrok/templates/frontend-deployment.yaml
+++ b/charts/zrok/templates/frontend-deployment.yaml
@@ -54,7 +54,7 @@ spec:
                 secretKeyRef:
                   name:  {{ include "zrok.fullname" . }}-ziti-mgmt-secret
                   key: admin-password
-            # this is needed for ziti CLI to work because it assumes a writeable config dir
+            # this is needed for ziti CLI to work because it assumes a writable config dir
             - name: HOME
               value: /tmp
           volumeMounts:
diff --git a/charts/zrok/templates/frontend-secrets-configmap.yaml b/charts/zrok/templates/frontend-secrets-configmap.yaml
index d6defb73..5b2f843a 100644
--- a/charts/zrok/templates/frontend-secrets-configmap.yaml
+++ b/charts/zrok/templates/frontend-secrets-configmap.yaml
@@ -165,7 +165,7 @@ data:
         {{ toYaml .Values.frontend.extraConfig }}
         {{- end }}
 
-    {{ .Values.frontend.deBootstrapScript }}: |-
+    unbootstrap.bash: |-
         #!/usr/bin/env bash
         set -o errexit
         set -o nounset
@@ -197,9 +197,7 @@ data:
         # expectation that the ziti controller is still reachable during zrok uninstall
         zitiLogin
         
-        # pending de-bootstrapping feature https://github.com/openziti/zrok/issues/290
-        ziti edge delete identities where 'name="public"'
-        ziti edge delete edge-router-policies where 'name="public"'
+        zrok admin unbootstrap /etc/zrok/ctrl.yaml
 
     zitiLogin: |-
         #!/usr/bin/env bash
diff --git a/charts/zrok/templates/pre-delete-hook .yaml b/charts/zrok/templates/pre-delete-hook .yaml
index 3df296a8..9e60a0c5 100644
--- a/charts/zrok/templates/pre-delete-hook .yaml	
+++ b/charts/zrok/templates/pre-delete-hook .yaml	
@@ -45,22 +45,25 @@ spec:
                 secretKeyRef:
                   name:  {{ include "zrok.fullname" . }}-ziti-mgmt-secret
                   key: admin-password
-            # this is needed for ziti CLI to work because it assumes a writeable config dir
+            # this is needed for ziti CLI to work because it assumes a writable config dir
             - name: HOME
               value: /tmp
           volumeMounts:
-            - name: zrok-config
-              mountPath: /usr/local/bin/{{ .Values.frontend.deBootstrapScript }}
-              subPath: {{ .Values.frontend.deBootstrapScript }}
+            - name: zrok-frontend-config
+              mountPath: /usr/local/bin/unbootstrap.bash
+              subPath: unbootstrap.bash
             # used by ziti CLI in zitiLogin
+            - name: zrok-controller-config
+              mountPath: /etc/zrok
+              readOnly: true
             - name: ziti-ctrl-plane-cas
               mountPath: {{ .Values.ziti.ca_cert_dir }}/{{ .Values.ziti.ca_cert_file }}
               subPath: {{ .Values.ziti.ca_cert_file }}
               readOnly: true
             - mountPath: /usr/local/bin/zitiLogin
-              name: zrok-config
+              name: zrok-frontend-config
               subPath: zitiLogin
-          command: ["{{ .Values.frontend.deBootstrapScript }}"]
+          command: ["unbootstrap.bash"]
           # command: ["sh", "-c", "while true; do sleep 86400; done"]
       {{- with .Values.affinity }}
       affinity:
@@ -71,16 +74,23 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       volumes:
-        - name: zrok-config
+        - name: zrok-frontend-config
           configMap:
             name: {{ include "zrok.fullname" . }}-frontend-config
             items:
-              - key: {{ .Values.frontend.deBootstrapScript }}
-                path: {{ .Values.frontend.deBootstrapScript }}
+              - key: unbootstrap.bash
+                path: unbootstrap.bash
                 mode: 0555
               - key: zitiLogin
                 path: zitiLogin
                 mode: 0555
+        - name: zrok-controller-config
+          configMap:
+            name: {{ include "zrok.fullname" . }}-config
+            defaultMode: 0444
+            items:
+              - key: ctrl.yaml
+                path: ctrl.yaml
         - name: ziti-ctrl-plane-cas
           configMap:
             name: {{ .Values.ziti.ca_cert_configmap }}
diff --git a/charts/zrok/values.yaml b/charts/zrok/values.yaml
index 465a7154..b1cb6ff5 100644
--- a/charts/zrok/values.yaml
+++ b/charts/zrok/values.yaml
@@ -220,7 +220,6 @@ frontend:
   # -- a read-only mountpoint for the frontend's Ziti identity is "homeDir"
   # because zrok always looks in $HOME/.zrok/identities
   homeDir: /var/lib/zrok
-  deBootstrapScript: delete-identity.sh
   # -- append additional frontend config
   extraConfig: {}