diff --git a/.github/workflows/cloud-release.yml b/.github/workflows/cloud-release.yml
index a273309ba68..fae28f00e44 100644
--- a/.github/workflows/cloud-release.yml
+++ b/.github/workflows/cloud-release.yml
@@ -99,7 +99,7 @@ jobs:
           sudo mv /tmp/sealos /usr/bin/sealos
           sudo sealos version
       - name: Build
-        run: export CLOUD_VERSION=${{ github.event.release.tag_name }} && export ARCH=arm64 && bash ./scripts/cloud/build-offline-tar.sh
+        run: export CLOUD_VERSION=${{ github.event.release.tag_name }} && VERSION=${{ github.event.release.tag_name }} && export ARCH=arm64 && bash ./scripts/cloud/build-offline-tar.sh
       - name: Setup ossutil
         uses: manyuanrong/setup-ossutil@v2.0
         with:
@@ -111,4 +111,4 @@ jobs:
       - name: Upload
         run: |
           ossutil cp ./sealos-cloud.tar.gz oss://${{ secrets.OSS_BUCKET }}/cloud/sealos-cloud-${{ github.event.release.tag_name }}-arm64.tar.gz
-          ossutil cp ./sealos-cloud.tar.gz.md5 oss://${{ secrets.OSS_BUCKET }}/cloud/sealos-cloud-${{ github.event.release.tag_name }}-arm64.tar.gz.md5
\ No newline at end of file
+          ossutil cp ./sealos-cloud.tar.gz.md5 oss://${{ secrets.OSS_BUCKET }}/cloud/sealos-cloud-${{ github.event.release.tag_name }}-arm64.tar.gz.md5
diff --git a/deploy/cloud/scripts/init.sh b/deploy/cloud/scripts/init.sh
index a46e384c9d8..e52a10f1f23 100644
--- a/deploy/cloud/scripts/init.sh
+++ b/deploy/cloud/scripts/init.sh
@@ -10,9 +10,12 @@ cockroachdbGlobalUri=""
 localRegionUID=""
 
 tlsCrtPlaceholder="<tls-crt-placeholder>"
-tlsKeyPlaceholder="<tls-key-placeholder>"
 acmednsSecretPlaceholder="<acmedns-secret-placeholder>"
+
 saltKey=""
+jwtInternal=""
+jwtRegional=""
+jwtGlobal=""
 
 function prepare {
   # source .env
@@ -36,6 +39,9 @@ function prepare {
   # gen regionUID if not set or not found in secret
   gen_regionUID
 
+  # gen jwt tokens
+  gen_jwt_tokens
+
   # create tls secret
   create_tls_secret
 }
@@ -132,6 +138,7 @@ function gen_cockroachdbUri() {
   cockroachdbGlobalUri="$cockroachdbUri/global"
 }
 
+# TODO: use a better way to check saltKey
 function gen_saltKey() {
     password_salt=$(kubectl get configmap desktop-frontend-config -n sealos -o jsonpath='{.data.config\.yaml}' | grep "salt:" | awk '{print $2}' 2>/dev/null | tr -d '"' || true)
     if [[ -z "$password_salt" ]]; then
@@ -141,6 +148,28 @@ function gen_saltKey() {
     fi
 }
 
+# TODO: use a better way to check jwt tokens
+function gen_jwt_tokens() {
+    jwt_internal=$(kubectl get configmap desktop-frontend-config -n sealos -o jsonpath='{.data.config\.yaml}' | grep "internal:" | awk '{print $2}' 2>/dev/null | tr -d '"' || true)
+    if [[ -z "$jwt_internal" ]]; then
+        jwtInternal=$(tr -dc 'a-z0-9' </dev/urandom | head -c64)
+    else
+        jwtInternal=$jwt_internal
+    fi
+    jwt_regional=$(kubectl get configmap desktop-frontend-config -n sealos -o jsonpath='{.data.config\.yaml}' | grep "regional:" | awk '{print $2}' 2>/dev/null | tr -d '"' || true)
+    if [[ -z "$jwt_regional" ]]; then
+        jwtRegional=$(tr -dc 'a-z0-9' </dev/urandom | head -c64)
+    else
+        jwtRegional=$jwt_regional
+    fi
+    jwt_global=$(kubectl get configmap desktop-frontend-config -n sealos -o jsonpath='{.data.config\.yaml}' | grep "global:" | awk '{print $2}' 2>/dev/null | tr -d '"' || true)
+    if [[ -z "$jwt_global" ]]; then
+        jwtGlobal=$(tr -dc 'a-z0-9' </dev/urandom | head -c64)
+    else
+        jwtGlobal=$jwt_global
+    fi
+}
+
 function gen_regionUID(){
     uid=$(kubectl get configmap desktop-frontend-config -n sealos -o jsonpath='{.data.config\.yaml}' | grep "regionUID:" | awk '{print $2}' 2>/dev/null | tr -d '"' || true)
     if [[ -z "$uid" ]]; then
@@ -176,7 +205,10 @@ function sealos_run_desktop {
       --env regionUID="$localRegionUID" \
       --env databaseMongodbURI="${mongodbUri}/sealos-auth?authSource=admin" \
       --env databaseLocalCockroachdbURI="$cockroachdbLocalUri" \
-      --env databaseGlobalCockroachdbURI="$cockroachdbGlobalUri"
+      --env databaseGlobalCockroachdbURI="$cockroachdbGlobalUri" \
+      --env jwtInternal="$jwtInternal" \
+      --env jwtRegional="$jwtRegional" \
+      --env jwtGlobal="$jwtGlobal"
 }
 
 function sealos_run_controller {
diff --git a/frontend/desktop/deploy/Kubefile b/frontend/desktop/deploy/Kubefile
index cb8685bde5f..fe24acf60e3 100644
--- a/frontend/desktop/deploy/Kubefile
+++ b/frontend/desktop/deploy/Kubefile
@@ -13,5 +13,8 @@ ENV databaseMongodbURI=""
 ENV databaseGlobalCockroachdbURI=""
 ENV databaseLocalCockroachdbURI=""
 ENV passwordSalt="randomSalt"
+ENV jwtInternal=""
+ENV jwtRegional=""
+ENV jwtGlobal=""
 
 CMD ["bash scripts/init.sh"]
diff --git a/frontend/desktop/deploy/manifests/configmap.yaml.tmpl b/frontend/desktop/deploy/manifests/configmap.yaml.tmpl
index 77c3634b860..ac9e9c33a5f 100644
--- a/frontend/desktop/deploy/manifests/configmap.yaml.tmpl
+++ b/frontend/desktop/deploy/manifests/configmap.yaml.tmpl
@@ -43,9 +43,9 @@ data:
         invite:
           enabled: false
         jwt:
-          internal: "<your-internal-jwt-secret>"
-          regional: "<your-regional-jwt-secret>"
-          global: "<your-global-jwt-secret>"
+          internal: "{{ .jwtInternal }}"
+          regional: "{{ .jwtRegional }}"
+          global: "{{ .jwtGlobal }}"
         idp:
           password:
             enabled: true
diff --git a/frontend/desktop/deploy/scripts/init.sh b/frontend/desktop/deploy/scripts/init.sh
index b6ebb7a1476..2c2113eccfe 100644
--- a/frontend/desktop/deploy/scripts/init.sh
+++ b/frontend/desktop/deploy/scripts/init.sh
@@ -6,8 +6,5 @@ if [[ -n "$cm_exists" ]]; then
   echo "desktop-frontend-config already exists, skip create desktop config"
 else
   echo "create desktop config"
-    sed -i -e "s;<your-internal-jwt-secret>;$(tr -cd 'a-z0-9' </dev/urandom | head -c64);" manifests/configmap.yaml
-    sed -i -e "s;<your-regional-jwt-secret>;$(tr -cd 'a-z0-9' </dev/urandom | head -c64);" manifests/configmap.yaml
-    sed -i -e "s;<your-global-jwt-secret>;$(tr -cd 'a-z0-9' </dev/urandom | head -c64);" manifests/configmap.yaml
   kubectl apply -f manifests/configmap.yaml --validate=false
 fi
diff --git a/scripts/cloud/build-offline-tar.sh b/scripts/cloud/build-offline-tar.sh
index c24181a7ac8..5b5ad2b24ee 100644
--- a/scripts/cloud/build-offline-tar.sh
+++ b/scripts/cloud/build-offline-tar.sh
@@ -21,6 +21,7 @@ images=(
   docker.io/labring/kubeblocks-mongodb:v0.8.2
   docker.io/labring/kubeblocks-postgresql:v0.8.2
   docker.io/labring/kubeblocks-apecloud-mysql:v0.8.2
+  docker.io/labring/kubeblocks-csi-s3:v0.31.4
   docker.io/labring/cockroach:v2.12.0
   docker.io/labring/metrics-server:v0.6.4
 )
diff --git a/scripts/cloud/install.sh b/scripts/cloud/install.sh
index 3eef94c53eb..94250e69862 100644
--- a/scripts/cloud/install.sh
+++ b/scripts/cloud/install.sh
@@ -277,6 +277,7 @@ init() {
     pull_image "kubeblocks-apecloud-mysql" "v${kubeblocks_version#v:-0.8.2}"
     pull_image "kubeblocks-postgresql" "v${kubeblocks_version#v:-0.8.2}"
     pull_image "kubeblocks-mongodb" "v${kubeblocks_version#v:-0.8.2}"
+    pull_image "kubeblocks-csi-s3" "v0.31.4"
     pull_image "cockroach" "v2.12.0"
     pull_image "metrics-server" "v${metrics_server_version#v:-0.6.4}"
     pull_image "victoria-metrics-k8s-stack" "v${victoria_metrics_k8s_stack_version#v:-1.96.0}"
@@ -770,9 +771,10 @@ EOF
     sealos run ${image_registry}/${image_repository}/kubeblocks-apecloud-mysql:v${kubeblocks_version#v:-0.8.2} \
       ${image_registry}/${image_repository}/kubeblocks-postgresql:v${kubeblocks_version#v:-0.8.2} \
       ${image_registry}/${image_repository}/kubeblocks-mongodb:v${kubeblocks_version#v:-0.8.2} \
-      ${image_registry}/${image_repository}/kubeblocks-redis:v${kubeblocks_version#v:-0.8.2}
+      ${image_registry}/${image_repository}/kubeblocks-redis:v${kubeblocks_version#v:-0.8.2} \
+      ${image_registry}/${image_repository}/kubeblocks-csi-s3:v0.31.4
 
-    addons=("snapshot-controller" "csi-s3" "migration" "milvus" "weaviate")
+    addons=("snapshot-controller" "migration" "milvus" "weaviate")
 
     for addon in "${addons[@]}"; do
       kubectl patch addon $addon --type='merge' -p '{"spec":{"install":{"enabled":true,"resources":{},"tolerations":"[{\"effect\":\"NoSchedule\",\"key\":\"kb-controller\",\"operator\":\"Equal\",\"value\":\"true\"}]"}}}'