diff --git a/.gitignore b/.gitignore
index 3163c96..362bc61 100644
--- a/.gitignore
+++ b/.gitignore
@@ -57,7 +57,5 @@ terraform.*
 *.tfvars
 flux-git-auth.yaml
 
-
-
 # custom
-_*
\ No newline at end of file
+_*
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
new file mode 100644
index 0000000..7d9dc26
--- /dev/null
+++ b/.terraform.lock.hcl
@@ -0,0 +1,55 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/google" {
+  version     = "5.27.0"
+  constraints = "~> 5.27.0"
+  hashes = [
+    "h1:cMRlEcTObLOVpFx09v3osbNtKayr2IIJFuhsRPdfrT4=",
+    "zh:10dee695387df836c8f2a7e7f4609e3d3d910e8070cebf91bdd4e4449237191b",
+    "zh:260a2bf30a5e0cbbb2a331a74561886df3d380be26beeb1f50a3cab829208eed",
+    "zh:2a87013cb2a408b2d494e2e7a938d2c6df7ed85156a6fe6be47a84390c3e3162",
+    "zh:443aa9b0637de3e20ff901a5e2e431d82bac80067eca3256d8792b4d069a9018",
+    "zh:4eb358ad15b756993b36fa7ef70507b9ad3fefa7869ac6d483a83a9f8beaa5f7",
+    "zh:5e8657fca3376d3b8f57aaa2ebf0575974f0d3af7448ad456ceae8364322362b",
+    "zh:8bcf6fa7adcc375ffb293dc72ba4e1ee8ad39fbadf11d901bd413fa01de836c6",
+    "zh:965d6df9bf7f0d85e0f61a9d7e5afdd389219e8b339ed241646ac292aedc839e",
+    "zh:c573e6c6e84691bf1c7736c238290441b2be40038972230dcaa7adc48b74b316",
+    "zh:eac4f56c4f3ddaead0a55d3b2016391578fdf3dea060b2ed32ac80974cd46b1d",
+  ]
+}
+
+provider "registry.opentofu.org/hashicorp/helm" {
+  version = "2.14.0"
+  hashes = [
+    "h1:K1yXsEeNhW/7YVSvsv55UaFSx4hHeKB1giPuQUKmFfQ=",
+    "zh:1c84ca8c274564c46497e89055139c7af64c9e1a8dd4f1cd4c68503ac1322fb8",
+    "zh:211a763173934d30c2e49c0cc828b1e34a528b0fdec8bf48d2bb3afadd4f9095",
+    "zh:3dca0b703a2f82d3e283a9e9ca6259a3b9897b217201f3cddf430009a1ca00c9",
+    "zh:40c5cfd48dcef54e87129e19d31c006c2e3309ee6c09d566139eaf315a59a369",
+    "zh:6f23c00ca1e2663e2a208a7491aa6dbe2604f00e0af7e23ef9323206e8f2fc81",
+    "zh:77f8cfc4888600e0d12da137bbdb836de160db168dde7af26c2e44cf00cbf057",
+    "zh:97b99c945eafa9bafc57c3f628d496356ea30312c3df8dfac499e0f3ff6bf0c9",
+    "zh:a01cfc53e50d5f722dc2aabd26097a8e4d966d343ffd471034968c2dc7a8819d",
+    "zh:b69c51e921fe8c91e38f4a82118d0b6b0f47f6c71a76f506fde3642ecbf39911",
+    "zh:fb8bfc7b8106bef58cc5628c024103f0dd5276d573fe67ac16f343a2b38ecee8",
+  ]
+}
+
+provider "registry.opentofu.org/hashicorp/kubernetes" {
+  version     = "2.29.0"
+  constraints = "~> 2.29.0"
+  hashes = [
+    "h1:WcfXWA92IBkzQCGSv05Yb8Lped8kp7RRJEQIWG5nDTY=",
+    "zh:2467de940f98ef5d3ed977a0f6b797962cd9ae6210ef706b8f6e6db23a0b3b99",
+    "zh:480a2ccc9e1f3a444b6ebf836d87061002be00c54482be7180e090dddc47809e",
+    "zh:4ce04ba31734813d6636b51b2346b8262253264033be2775d66e8298551c2dde",
+    "zh:56b94fcd5ba65cae892fd64e831838369ae4615582c314eee73fa2e513689991",
+    "zh:5a7e858dc3600e542182abcec9079e2f8741d1ba72114e87668ef64679e7191a",
+    "zh:905b6eb78f19bd80b22c688af06130353977f77f313738c8e0cfc524e8550d4c",
+    "zh:ccf5c3e7383d11785a735a0ce7751e4ff394b133aa5085857139eaec1d9a54c1",
+    "zh:eb4e72d3abf937c283f702342eb1fc820b3dbfc743b1e24c84c3604c8fca1988",
+    "zh:eea59cd51ef366269231cbfa5b77fc3b9fbebecfd6bca8dff27e5abd96188d92",
+    "zh:f026a8b4fa2ca566c3d6cd9bfdd0dd58c0631e3d945b98a8ced0943aa27dd4bd",
+  ]
+}
diff --git a/README.md b/README.md
index b18794f..6cea871 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
 # How to use repo
 
 1. Create `terraform.tfvars` file with a few variables
-```bash
+```shell
 project          = "gcp-project"
 region           = "europe-west1"
 environment_name = "demo"
@@ -11,7 +11,7 @@ environment_name = "demo"
 All commands will be applied via Terraform 1.7.0 and via OpenTofu, the same version.
 
 Here are OpenTofu commands.
-```bash
+```shell
 tofu init
 tofu apply
 ```
@@ -19,18 +19,22 @@ tofu apply
 3. Get the credentials for the new cluster (configure kubeconfig)
 
 You can see all useful commands and links in the output:
-```bash
+
+```shell
 tofu output
 ```
 
 There is a manual command:
-```bash
-gcloud container clusters get-credentials $(tofu output -raw kubernetes_cluster_name) --region $(tofu output -raw region) --project $(tofu output -raw project)
+
+```shell
+gcloud container clusters get-credentials $(tofu output -raw kubernetes_cluster_name) --region $(tofu output -raw zone) --project $(tofu output -raw project)
 ```
 
+Or just use `./get-credentials.sh`
+
 4. Destroy all resources
 
-```bash
+```shell
 tofu destroy
 ```
 
@@ -48,6 +52,7 @@ tofu destroy
 | Name | Version |
 |------|---------|
 | <a name="provider_google"></a> [google](#provider\_google) | 5.27.0 |
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.29.0 |
 
 ## Modules
 
@@ -61,6 +66,8 @@ No modules.
 | [google_compute_subnetwork.subnet](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_subnetwork) | resource |
 | [google_container_cluster.primary](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster) | resource |
 | [google_container_node_pool.primary_nodes](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool) | resource |
+| [google_project_service.service_networking](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service) | resource |
+| [kubernetes_namespace.demo-cluster](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [google_client_config.primary](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/client_config) | data source |
 
 ## Inputs
@@ -68,7 +75,6 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_environment_name"></a> [environment\_name](#input\_environment\_name) | n/a | `string` | `"demo"` | no |
-| <a name="input_gke_num_nodes"></a> [gke\_num\_nodes](#input\_gke\_num\_nodes) | number of gke nodes | `number` | `1` | no |
 | <a name="input_project"></a> [project](#input\_project) | Google Project to create resources in | `string` | `"demo"` | no |
 | <a name="input_region"></a> [region](#input\_region) | The region to host the cluster in | `string` | `"us-central1"` | no |
 | <a name="input_vpc_host_project"></a> [vpc\_host\_project](#input\_vpc\_host\_project) | Host Project where virtual network exists | `string` | `"demo"` | no |
@@ -85,4 +91,5 @@ No modules.
 | <a name="output_kubernetes_cluster_name"></a> [kubernetes\_cluster\_name](#output\_kubernetes\_cluster\_name) | GKE Cluster Name |
 | <a name="output_project"></a> [project](#output\_project) | GCloud Project ID |
 | <a name="output_region"></a> [region](#output\_region) | GCloud Region |
+| <a name="output_zone"></a> [zone](#output\_zone) | GCloud Project ID |
 <!-- END_TF_DOCS -->
diff --git a/demo-namespace.tf b/demo-namespace.tf
new file mode 100644
index 0000000..fd20be8
--- /dev/null
+++ b/demo-namespace.tf
@@ -0,0 +1,6 @@
+resource "kubernetes_namespace" "demo-cluster" {
+  metadata {
+    name = "demo-cluster"
+  }
+  depends_on = [google_container_node_pool.primary_nodes]
+}
diff --git a/flux.tf b/flux.tf
deleted file mode 100644
index 20fb86c..0000000
--- a/flux.tf
+++ /dev/null
@@ -1,5 +0,0 @@
-# resource "kubernetes_namespace" "flux-system" {
-#   metadata {
-#     name = "flux-system"
-#   }
-# }
\ No newline at end of file
diff --git a/get-credentials.sh b/get-credentials.sh
new file mode 100755
index 0000000..ff284a1
--- /dev/null
+++ b/get-credentials.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+gcloud container clusters get-credentials $(tofu output -raw kubernetes_cluster_name) --region $(tofu output -raw zone) --project $(tofu output -raw project)
diff --git a/gke.tf b/gke.tf
index 5d5ec2e..f0b2c54 100644
--- a/gke.tf
+++ b/gke.tf
@@ -1,7 +1,6 @@
-# GKE cluster
 resource "google_container_cluster" "primary" {
   name     = "${var.project}-gke"
-  location = var.region
+  location = var.zone
 
   # We can't create a cluster with no node pool defined, but we want to only use
   # separately managed node pools. So we create the smallest possible default
@@ -13,18 +12,19 @@ resource "google_container_cluster" "primary" {
   subnetwork          = google_compute_subnetwork.subnet.name
   deletion_protection = false # Use this only for study purposess
   depends_on          = [google_compute_network.vpc, google_compute_subnetwork.subnet]
-  # min_master_version = "1.26.5-gke.1200"
 }
 
-# Separately Managed Node Pool
 resource "google_container_node_pool" "primary_nodes" {
   name       = google_container_cluster.primary.name
-  location   = var.region
+  location   = var.zone
   cluster    = google_container_cluster.primary.name
-  node_count = var.gke_num_nodes
+  node_count = 1
 
   node_config {
     oauth_scopes = [
+      "https://www.googleapis.com/auth/cloud-platform",
+      "https://www.googleapis.com/auth/compute",
+      "https://www.googleapis.com/auth/devstorage.read_only",
       "https://www.googleapis.com/auth/logging.write",
       "https://www.googleapis.com/auth/monitoring",
     ]
@@ -34,8 +34,11 @@ resource "google_container_node_pool" "primary_nodes" {
     }
 
     preemptible  = true
-    machine_type = "custom-2-4096" # 1 core too low for Prometheus...
-    tags         = ["gke-node", "${var.project}-gke"]
+    machine_type = "n2-standard-8"
+    tags = [
+      "${var.environment_name}-k8s-${var.region}",
+      "${var.environment_name}-k8s-${var.region}-nodes"
+    ]
     metadata = {
       disable-legacy-endpoints = "true"
     }
diff --git a/outputs.tf b/outputs.tf
index 1b0f5a4..e0bfc6f 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -8,6 +8,11 @@ output "project" {
   value       = var.project
 }
 
+output "zone" {
+  description = "GCloud Project ID"
+  value       = var.zone
+}
+
 output "kubernetes_cluster_name" {
   description = "GKE Cluster Name"
   value       = google_container_cluster.primary.name
@@ -20,7 +25,7 @@ output "kubernetes_cluster_host" {
 
 output "gcloud_gke_get_creds" {
   description = "Command to get GKE credentials"
-  value       = "gcloud container clusters get-credentials ${google_container_cluster.primary.name} --region ${var.region} --project ${var.project}"
+  value       = "gcloud container clusters get-credentials ${google_container_cluster.primary.name} --region ${google_container_cluster.primary.location} --project ${var.project}"
 }
 
 output "gcloud_vpc_link" {
diff --git a/providers.tf b/providers.tf
index e00c4b7..53f8469 100644
--- a/providers.tf
+++ b/providers.tf
@@ -1,5 +1,10 @@
 data "google_client_config" "primary" {}
 
+provider "google" {
+  project = var.project
+  region  = var.region
+}
+
 provider "kubernetes" {
   host                   = "https://${google_container_cluster.primary.endpoint}"
   token                  = data.google_client_config.primary.access_token
diff --git a/variables.tf b/variables.tf
index f1601e9..0fa062e 100644
--- a/variables.tf
+++ b/variables.tf
@@ -26,8 +26,3 @@ variable "zone" {
   description = "The region to host the cluster in"
   default     = "us-central1-b"
 }
-
-variable "gke_num_nodes" {
-  default     = 1
-  description = "number of gke nodes"
-}
diff --git a/vpc.tf b/vpc.tf
index 63a5aa5..75e07b0 100644
--- a/vpc.tf
+++ b/vpc.tf
@@ -1,19 +1,19 @@
-provider "google" {
+# https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_subnetwork
+resource "google_project_service" "service_networking" {
+  service = "servicenetworking.googleapis.com"
   project = var.project
-  region  = var.region
 }
 
-# VPC
 resource "google_compute_network" "vpc" {
   name                    = "${var.project}-vpc"
   auto_create_subnetworks = "false"
 }
 
-# Subnet
 resource "google_compute_subnetwork" "subnet" {
   name                     = "${var.project}-subnet"
   region                   = var.region
   network                  = google_compute_network.vpc.name
-  ip_cidr_range            = "10.10.0.0/24"
+  ip_cidr_range            = "10.0.0.0/14"
   private_ip_google_access = true
+  depends_on               = [google_compute_network.vpc]
 }