diff --git a/Dockerfile b/Dockerfile
index b64454a966e94143dfc8541c9187959e2e3f6882..c40f3bc7d3a8b5e98f9bcc5ad3e1a06b66eaa161 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -42,8 +42,8 @@ HEALTHCHECK --interval=5m --timeout=3s \
   CMD curl -fsL ${JENKINS_URL}/login || exit 1
 
 # L-A-B-E-L securitytxt="https://www.cloudbees.com/.well-known/security.txt"
-# L-A-B-E-L release=c96254800631d0ea4eff5ff0347232e658eaac0b
-# L-A-B-E-L version=2.289.2.2-ra
+# L-A-B-E-L release=fcdc87a35cf67052d4222b11ced2e6c42678402d
+# L-A-B-E-L version=2.289.3.2-ra
 
 COPY files.tar /tmp
 RUN cd / && tar xvf /tmp/files.tar && rm /tmp/files.tar
diff --git a/README.md b/README.md
index 999819d4bb73434837da0adcc55fa44349047189..fc56bca9dea6e57aea51a1c2c1c10b0ae07ba38b 100644
--- a/README.md
+++ b/README.md
@@ -12,7 +12,7 @@ CloudBees CI (formerly known as _CloudBees Core_) consists of three Docker image
 For each image, all files other than UBI and native packages
 are included in a `files.tar` marked with a SHA-256 checksum.
 
-A version of CloudBees CI is given in the format `2.289.2.2-ra`
+A version of CloudBees CI is given in the format `2.289.3.2-ra`
 where the first three components are aligned with a Jenkins LTS.
 The Helm chart is coversioned with `core-oc`.
 The `core-mm` image typically shares the same version,
@@ -25,13 +25,13 @@ plus whatever other customizations are desired:
 ```yaml
 OperationsCenter:
   Image:
-    dockerImage: your-registry/core-oc:2.289.2.2-ra
+    dockerImage: your-registry/core-oc:2.289.3.2-ra
 Master:
   Image:
-    dockerImage: your-registry/core-mm:2.289.2.2-ra
+    dockerImage: your-registry/core-mm:2.289.3.2-ra
 Agents:
   Image:
-    dockerImage: your-registry/agent:2.289.2.2-ra
+    dockerImage: your-registry/agent:2.289.3.2-ra
 ```
 
 and [install via Helm 3](https://docs.cloudbees.com/docs/cloudbees-core/latest/kubernetes-install-guide/installing-kubernetes-using-helm) using the local copy of the chart:
diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml
index 3a14cb8fc4d1e6a145786a0f5abcf9186ad5e2ca..2efd661ae5d21f79710fc350e74aa961dc3069fb 100644
--- a/hardening_manifest.yaml
+++ b/hardening_manifest.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 name: "cloudbees/core/core-oc"
 tags:
-- "2.289.2.2-ra"
+- "2.289.3.2-ra"
 - latest
 labels:
   org.opencontainers.image.title: "core-oc"
@@ -9,7 +9,7 @@ labels:
   org.opencontainers.image.licenses: proprietary
   org.opencontainers.image.url: https://docs.cloudbees.com/docs/cloudbees-ci/
   org.opencontainers.image.vendor: CloudBees
-  org.opencontainers.image.version: "2.289.2.2-ra"
+  org.opencontainers.image.version: "2.289.3.2-ra"
   mil.dso.ironbank.image.keywords: cicd
   mil.dso.ironbank.image.type: commercial
   mil.dso.ironbank.product.name: CloudBees CI
@@ -18,10 +18,10 @@ args:
   BASE_TAG: "1.8.0"
 resources:
 - filename: files.tar
-  url: https://downloads.cloudbees.com/dsop-files/core-oc-files-71a113b144f0329c38424fc6836e9ccfda772fff3399c89b5dac485c6c954635.tar
+  url: https://downloads.cloudbees.com/dsop-files/core-oc-files-2d243c95029bbdfeb19081775dfce57e6a82d3f54fd564bce07485ff6c7ec846.tar
   validation:
     type: sha256
-    value: "71a113b144f0329c38424fc6836e9ccfda772fff3399c89b5dac485c6c954635"
+    value: "2d243c95029bbdfeb19081775dfce57e6a82d3f54fd564bce07485ff6c7ec846"
 maintainers:
 - email: productivity-team@cloudbees.com
   name: CloudBees
diff --git a/helm/Chart.yaml b/helm/Chart.yaml
index 0adaf6a0f0f6112a3b295d4ad6d13534b46ee80e..569e979cefce4b871fcf20ff34b5f44679342b63 100644
--- a/helm/Chart.yaml
+++ b/helm/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: cloudbees-core
-version: 3.33.0
+version: 3.34.1
 description: Enterprise Continuous Integration with Jenkins
 keywords:
   - cloudbees
@@ -20,7 +20,7 @@ dependencies:
     repository: https://charts.cloudbees.com/public/cloudbees
     condition: sidecarinjector.Enabled
 icon: https://images.ctfassets.net/vtn4rfaw6n2j/7xprMMXARXDBuVxW4y8XfV/349fff91035050e3f2a8ff37bc0615b5/cloudbees-core-logo_header.svg
-appVersion: 2.289.2.2
+appVersion: 2.289.3.2
 annotations:
   artifacthub.io/links: |
     - name: Product overview
diff --git a/helm/README-template.md b/helm/README-template.md
index 90359558447b48be21a6b61dffdcbb0e23377161..fce31b49a241a78f6e02b1aae80137e732b027c0 100644
--- a/helm/README-template.md
+++ b/helm/README-template.md
@@ -1,6 +1,6 @@
 # cloudbees-core
 
-![Version: 3.33.0](https://img.shields.io/badge/Version-3.33.0-informational?style=flat-square) ![AppVersion: 2.289.2.2](https://img.shields.io/badge/AppVersion-2.289.2.2-informational?style=flat-square)
+![Version: 3.34.1](https://img.shields.io/badge/Version-3.34.1-informational?style=flat-square) ![AppVersion: 2.289.3.2](https://img.shields.io/badge/AppVersion-2.289.3.2-informational?style=flat-square)
 
 [CloudBees CI](https://www.cloudbees.com/products/continuous-integration) is the continuous integration platform architected for the enterprise. It provides:
 
@@ -129,6 +129,8 @@ CloudBees provides complete and more detailed installation and operation documen
 | OperationsCenter.AgentListenerPort | int | `50000` | Container port for agent listener traffic |
 | OperationsCenter.Annotations | object | `{}` | Additional annotations to put on the pod running Operations Center |
 | OperationsCenter.CSRF.ProxyCompatibility | bool | `false` | Proxy compatibility for the default CSRF issuer |
+| OperationsCenter.CasC.ConfigMapName | string | `"oc-casc-bundle"` | the name of the ConfigMap used to configure Operations Center. Note: this property can point to a ConfigMap defined in OperationsCenter.ExtraConfigMaps, or any ConfigMap that exists in the cluster. If CasC is enabled and the ConfigMap doesn't exist, Operations Center will start up normally as if no CasC bundle is installed. |
+| OperationsCenter.CasC.Enabled | bool | `false` | enable or disable CasC for Operations Center. |
 | OperationsCenter.ContainerPort | int | `8080` | Container port for http traffic |
 | OperationsCenter.ContextPath | string | `nil` | the path under which Operations Center will be accessible in the given host. DEPRECATED - Use OperationsCenter.Name instead. |
 | OperationsCenter.Enabled | bool | `true` | Disable for particular use case like setting up namespaces to host masters only |
diff --git a/helm/README.md b/helm/README.md
index e66b336faaffd67a36abf3f22eba11afafafa460..fb686d3c660b91a385302dd35d15ff1d9452ddd4 100644
--- a/helm/README.md
+++ b/helm/README.md
@@ -1,6 +1,6 @@
 # cloudbees-core
 
-![Version: 3.33.0](https://img.shields.io/badge/Version-3.33.0-informational?style=flat-square) ![AppVersion: 2.289.2.2](https://img.shields.io/badge/AppVersion-2.289.2.2-informational?style=flat-square)
+![Version: 3.34.1](https://img.shields.io/badge/Version-3.34.1-informational?style=flat-square) ![AppVersion: 2.289.3.2](https://img.shields.io/badge/AppVersion-2.289.3.2-informational?style=flat-square)
 
 [CloudBees CI](https://www.cloudbees.com/products/continuous-integration) is the continuous integration platform architected for the enterprise. It provides:
 
@@ -129,6 +129,8 @@ CloudBees provides complete and more detailed installation and operation documen
 | OperationsCenter.AgentListenerPort | int | `50000` | Container port for agent listener traffic |
 | OperationsCenter.Annotations | object | `{}` | Additional annotations to put on the pod running Operations Center |
 | OperationsCenter.CSRF.ProxyCompatibility | bool | `false` | Proxy compatibility for the default CSRF issuer |
+| OperationsCenter.CasC.ConfigMapName | string | `"oc-casc-bundle"` | the name of the ConfigMap used to configure Operations Center. Note: this property can point to a ConfigMap defined in OperationsCenter.ExtraConfigMaps, or any ConfigMap that exists in the cluster. If CasC is enabled and the ConfigMap doesn't exist, Operations Center will start up normally as if no CasC bundle is installed. |
+| OperationsCenter.CasC.Enabled | bool | `false` | enable or disable CasC for Operations Center. |
 | OperationsCenter.ContainerPort | int | `8080` | Container port for http traffic |
 | OperationsCenter.ContextPath | string | `nil` | the path under which Operations Center will be accessible in the given host. DEPRECATED - Use OperationsCenter.Name instead. |
 | OperationsCenter.Enabled | bool | `true` | Disable for particular use case like setting up namespaces to host masters only |
diff --git a/helm/templates/cjoc-statefulset.yaml b/helm/templates/cjoc-statefulset.yaml
index 84b1e20b9a0d22aa591dd78a8b2ee26a23f58c9a..23f7af318c317c4b1deb37f9f150ccc152f0714b 100644
--- a/helm/templates/cjoc-statefulset.yaml
+++ b/helm/templates/cjoc-statefulset.yaml
@@ -176,6 +176,9 @@ spec:
             {{- end }}
             -Dcom.cloudbees.jenkins.plugins.platform.PlatformServer.apiUrl=https://flow-server.{{ .Release.Namespace }}:8443/
             {{- end }}
+            {{- if .Values.OperationsCenter.CasC.Enabled }}
+            -Dcore.casc.config.bundle=/var/jenkins_config/oc-casc-bundle
+            {{- end }}
             -XX:+UseG1GC
             -XX:+DisableExplicitGC
         ports:
@@ -203,6 +206,11 @@ spec:
           readOnly: true
         - name: tmp
           mountPath: /tmp
+        {{- if .Values.OperationsCenter.CasC.Enabled }}
+        - name: oc-casc-bundle
+          mountPath: /var/jenkins_config/oc-casc-bundle
+          readOnly: true
+        {{- end }}
 {{- if .Values.OperationsCenter.ExtraVolumeMounts }}
 {{toYaml .Values.OperationsCenter.ExtraVolumeMounts | indent 8}}
 {{- end }}
@@ -231,6 +239,12 @@ spec:
           name: cjoc-configure-jenkins-groovy
       - name: tmp
         emptyDir: {}
+      {{- if .Values.OperationsCenter.CasC.Enabled }}
+      - name: oc-casc-bundle
+        configMap:
+          name: {{ .Values.OperationsCenter.CasC.ConfigMapName | quote }}
+          optional: true
+      {{- end }}
 {{- if .Values.OperationsCenter.ExtraVolumes }}
 {{toYaml .Values.OperationsCenter.ExtraVolumes | indent 6}}
 {{- end }}
diff --git a/helm/values.yaml b/helm/values.yaml
index ea31f18de9457e5283b949942e55698ca535f692..5abfae73adfc36c54316def20206ad9bac1adfa4 100644
--- a/helm/values.yaml
+++ b/helm/values.yaml
@@ -57,7 +57,7 @@ OperationsCenter:
   # Operations Center docker image
   Image:
     # OperationsCenter.Image.dockerImage -- Container image to use for Operations Center
-    dockerImage: dcar/core-oc:2.289.2.2-ra
+    dockerImage: dcar/core-oc:2.289.3.2-ra
     # OperationsCenter.Image.dockerPullPolicy -- https://kubernetes.io/docs/concepts/containers/images/#updating-images
     dockerPullPolicy: null
 
@@ -67,6 +67,16 @@ OperationsCenter:
   # OperationsCenter.ImagePullSecrets -- Name of image pull secret to pull private Docker images or an array of image pull secrets
   ImagePullSecrets: null
 
+  # Configuration as Code (CasC) for Operations Center.
+  CasC:
+    # OperationsCenter.CasC.Enabled -- enable or disable CasC for Operations Center.
+    Enabled: false
+    # OperationsCenter.CasC.ConfigMapName -- the name of the ConfigMap used to configure Operations Center.
+    # Note: this property can point to a ConfigMap defined in OperationsCenter.ExtraConfigMaps,
+    # or any ConfigMap that exists in the cluster. If CasC is enabled and the ConfigMap doesn't exist,
+    # Operations Center will start up normally as if no CasC bundle is installed.
+    ConfigMapName: oc-casc-bundle
+
   # OperationsCenter.Platform -- Enables specific settings depending on the platform
   # platform specific values are: `eks`, `aws`, `gke`, `aks`, `openshift`, `openshift4`
   # Note: `openshift` maps to OpenShift 3.x
@@ -262,7 +272,7 @@ Master:
   # Docker image inserted in Operations Center automatically
   Image:
     # Master.Image.dockerImage -- Used to override the default docker image
-    dockerImage: dcar/core-mm:2.289.2.2-ra
+    dockerImage: dcar/core-mm:2.289.3.2-ra
   # Master.JavaOpts -- Additional Java options to pass to managed masters. For example, setting up a JMX port
   JavaOpts: null
 
@@ -279,7 +289,7 @@ Agents:
     Create: false
   Image:
     # Agents.Image.dockerImage -- Used to override the default docker image used for agents
-    dockerImage: dcar/agent:2.289.2.2-ra
+    dockerImage: dcar/agent:2.289.3.2-ra
   # Image pull secrets
   # Enable this option when using a private registry.
   # https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-secret-by-providing-credentials-on-the-command-line
diff --git a/scripts/usr/local/bin/jenkins.sh b/scripts/usr/local/bin/jenkins.sh
index 96864fe2d21f6205bd9031d495ced24172fe9e75..21d8c25f2ea43c31f7e618d43ab0c9222596fc9e 100644
--- a/scripts/usr/local/bin/jenkins.sh
+++ b/scripts/usr/local/bin/jenkins.sh
@@ -52,7 +52,7 @@ find /usr/share/jenkins/ref/ -type f -exec bash -c "copy_reference_file '{}'" \;
 
 # if `docker run` first argument start with `--` the user is passing jenkins launcher arguments
 if [[ $# -lt 1 ]] || [[ "$1" == "--"* ]]; then
-  eval "exec java ${JAVA_OPTS:-} -jar -Dcb.distributable.name=\"Docker Common CJE\" -Dcb.distributable.commit_sha=c96254800631d0ea4eff5ff0347232e658eaac0b /usr/share/jenkins/jenkins.war $JENKINS_OPTS \"\$@\""
+  eval "exec java ${JAVA_OPTS:-} -jar -Dcb.distributable.name=\"Docker Common CJE\" -Dcb.distributable.commit_sha=fcdc87a35cf67052d4222b11ced2e6c42678402d /usr/share/jenkins/jenkins.war $JENKINS_OPTS \"\$@\""
 fi
 
 # As argument is not jenkins, assume user want to run his own process, for sample a `bash` shell to explore this image