diff --git a/.yamllint b/.yamllint
new file mode 100644
index 00000000000..d3010d321b4
--- /dev/null
+++ b/.yamllint
@@ -0,0 +1,13 @@
+# Adjust the target to match the gopkg.in/yaml.v2 style used in the
+# Kubernetes ecosystem.
+
+extends: default
+
+rules:
+  document-start:
+    present: false
+  indentation:
+    indent-sequences: false
+  line-length:
+    level: warning
+    max: 120
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index e4659a50d7a..168f9daa9e5 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -43,6 +43,7 @@ For contributors who want to work up pull requests, the workflow is roughly:
     hack/shellcheck.sh
     hack/tf-fmt.sh -list -check
     hack/tf-lint.sh
+    hack/yaml-lint.sh
     ```
 7. Submit a pull request to the original repository.
 8. The [repo](OWNERS) [owners](OWNERS_ALIASES) will respond to your issue promptly, following [the ususal Prow workflow][prow-review].
diff --git a/data/data/bootstrap/files/opt/tectonic/bootkube-config-overrides/kube-apiserver-config-overrides.yaml b/data/data/bootstrap/files/opt/tectonic/bootkube-config-overrides/kube-apiserver-config-overrides.yaml
new file mode 100644
index 00000000000..230de8749f1
--- /dev/null
+++ b/data/data/bootstrap/files/opt/tectonic/bootkube-config-overrides/kube-apiserver-config-overrides.yaml
@@ -0,0 +1,4 @@
+apiVersion: kubecontrolplane.config.openshift.io/v1
+kind: KubeAPIServerConfig
+kubeletClientInfo:
+  ca: ""  # kubelet uses self-signed serving certs. TODO: fix kubelet pki
diff --git a/data/data/bootstrap/files/opt/tectonic/bootkube-config-overrides/kube-controller-manager-config-overrides.yaml b/data/data/bootstrap/files/opt/tectonic/bootkube-config-overrides/kube-controller-manager-config-overrides.yaml
new file mode 100644
index 00000000000..acdfd7baca6
--- /dev/null
+++ b/data/data/bootstrap/files/opt/tectonic/bootkube-config-overrides/kube-controller-manager-config-overrides.yaml
@@ -0,0 +1,2 @@
+apiVersion: kubecontrolplane.config.openshift.io/v1
+kind: KubeControllerManagerConfig
diff --git a/data/data/bootstrap/files/opt/tectonic/manifest-overrides/kube-proxy-daemonset.yaml b/data/data/bootstrap/files/opt/tectonic/manifest-overrides/kube-proxy-daemonset.yaml
new file mode 100644
index 00000000000..0802fc3b61c
--- /dev/null
+++ b/data/data/bootstrap/files/opt/tectonic/manifest-overrides/kube-proxy-daemonset.yaml
@@ -0,0 +1,61 @@
+# This is needed by kube-proxy.
+# TODO: move to the networking operator renderer.
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    k8s-app: kube-proxy
+    tier: node
+  name: kube-proxy
+  namespace: kube-system
+spec:
+  selector:
+    matchLabels:
+      k8s-app: kube-proxy
+      tier: node
+  template:
+    metadata:
+      labels:
+        k8s-app: kube-proxy
+        tier: node
+    spec:
+      containers:
+      - command:
+        - ./hyperkube
+        - proxy
+        - --cluster-cidr=10.3.0.0/16
+        - --hostname-override=$(NODE_NAME)
+        - --kubeconfig=/etc/kubernetes/kubeconfig
+        - --proxy-mode=iptables
+        env:
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        image: quay.io/coreos/hyperkube:v1.9.3_coreos.0
+        name: kube-proxy
+        securityContext:
+          privileged: true
+        volumeMounts:
+        - mountPath: /etc/ssl/certs
+          name: ssl-certs-host
+          readOnly: true
+        - mountPath: /etc/kubernetes
+          name: kubeconfig
+          readOnly: true
+      hostNetwork: true
+      serviceAccountName: kube-proxy
+      tolerations:
+      - operator: Exists
+      volumes:
+      - hostPath:
+          path: /etc/ssl/certs
+        name: ssl-certs-host
+      - name: kubeconfig
+        secret:
+          defaultMode: 420
+          secretName: kube-proxy-kubeconfig
+  updateStrategy:
+    rollingUpdate:
+      maxUnavailable: 1
+    type: RollingUpdate
diff --git a/data/data/bootstrap/files/opt/tectonic/manifest-overrides/kube-proxy-kube-system-rbac-role-binding.yaml b/data/data/bootstrap/files/opt/tectonic/manifest-overrides/kube-proxy-kube-system-rbac-role-binding.yaml
new file mode 100644
index 00000000000..517831fc261
--- /dev/null
+++ b/data/data/bootstrap/files/opt/tectonic/manifest-overrides/kube-proxy-kube-system-rbac-role-binding.yaml
@@ -0,0 +1,14 @@
+# This is needed by kube-proxy.
+# TODO: move to the networking operator renderer.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system:default-sa
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: kube-system
diff --git a/data/data/bootstrap/files/opt/tectonic/manifest-overrides/kube-proxy-kubeconfig.yaml.template b/data/data/bootstrap/files/opt/tectonic/manifest-overrides/kube-proxy-kubeconfig.yaml.template
new file mode 100644
index 00000000000..7e14f08c785
--- /dev/null
+++ b/data/data/bootstrap/files/opt/tectonic/manifest-overrides/kube-proxy-kubeconfig.yaml.template
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: kube-proxy-kubeconfig
+  namespace: kube-system
+data:
+  kubeconfig: {{ .AdminKubeConfigBase64 }}
diff --git a/data/data/bootstrap/files/opt/tectonic/manifest-overrides/kube-proxy-role-binding.yaml b/data/data/bootstrap/files/opt/tectonic/manifest-overrides/kube-proxy-role-binding.yaml
new file mode 100644
index 00000000000..91518391bcd
--- /dev/null
+++ b/data/data/bootstrap/files/opt/tectonic/manifest-overrides/kube-proxy-role-binding.yaml
@@ -0,0 +1,14 @@
+# This is needed by kube-proxy.
+# TODO: move to the networking operator renderer.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kube-proxy
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:node-proxier  # Automatically created system role.
+subjects:
+- kind: ServiceAccount
+  name: kube-proxy
+  namespace: kube-system
diff --git a/data/data/bootstrap/files/opt/tectonic/manifest-overrides/kube-proxy-service-account.yaml b/data/data/bootstrap/files/opt/tectonic/manifest-overrides/kube-proxy-service-account.yaml
new file mode 100644
index 00000000000..2036d4f40db
--- /dev/null
+++ b/data/data/bootstrap/files/opt/tectonic/manifest-overrides/kube-proxy-service-account.yaml
@@ -0,0 +1,7 @@
+# This is needed by kube-proxy.
+# TODO: move to the networking operator renderer.
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: kube-system
+  name: kube-proxy
diff --git a/pkg/asset/ignition/bootstrap/content/bootkube.go b/data/data/bootstrap/files/usr/local/bin/bootkube.sh.template
old mode 100644
new mode 100755
similarity index 78%
rename from pkg/asset/ignition/bootstrap/content/bootkube.go
rename to data/data/bootstrap/files/usr/local/bin/bootkube.sh.template
index 7c1dc237709..1808241d20d
--- a/pkg/asset/ignition/bootstrap/content/bootkube.go
+++ b/data/data/bootstrap/files/usr/local/bin/bootkube.sh.template
@@ -1,32 +1,4 @@
-package content
-
-import (
-	"text/template"
-)
-
-const (
-	// BootkubeSystemdContents is a service for running bootkube on the bootstrap
-	// nodes
-	BootkubeSystemdContents = `
-[Unit]
-Description=Bootstrap a Kubernetes cluster
-Wants=kubelet.service
-After=kubelet.service
-ConditionPathExists=!/opt/tectonic/.bootkube.done
-
-[Service]
-WorkingDirectory=/opt/tectonic
-ExecStart=/usr/local/bin/bootkube.sh
-
-Restart=on-failure
-RestartSec=5s
-`
-)
-
-var (
-	// BootkubeShFileTemplate is a script file for running bootkube on the
-	// bootstrap nodes.
-	BootkubeShFileTemplate = template.Must(template.New("bootkube.sh").Parse(`#!/usr/bin/env bash
+#!/usr/bin/env bash
 set -e
 
 mkdir --parents /etc/kubernetes/{manifests,bootstrap-configs,bootstrap-manifests}
@@ -122,9 +94,9 @@ then
 	cp kube-scheduler-bootstrap/manifests/* manifests/
 fi
 
-# TODO: Remove this when kube-proxy is properly rendered by corresponding operator.
+# TODO: Remove this when manifest-overrides is empty.
 echo "Installing temporary bootstrap manifests..."
-cp kube-proxy-operator-bootstrap/* manifests/
+cp manifest-overrides/* manifests/
 
 if [ ! -d mco-bootstrap ]
 then
@@ -227,32 +199,3 @@ podman run \
 
 # Workaround for https://github.com/opencontainers/runc/pull/1807
 touch /opt/tectonic/.bootkube.done
-`))
-)
-
-var (
-	// BootkubeConfigOverrides contains the configuration override files passed to the render commands of the components.
-	// These are supposed to be customized by the installer where the config differs from the operator render default.
-	BootkubeConfigOverrides = []*template.Template{
-		KubeApiserverConfigOverridesTemplate,
-		KubeControllerManagerConfigOverridesTemplate,
-	}
-)
-
-var (
-	// KubeApiserverConfigOverridesTemplate are overrides that the installer passes to the default config of the
-	// kube-apiserver rendered by the cluster-kube-apiserver-operator.
-	KubeApiserverConfigOverridesTemplate = template.Must(template.New("kube-apiserver-config-overrides.yaml").Parse(`
-apiVersion: kubecontrolplane.config.openshift.io/v1
-kind: KubeAPIServerConfig
-kubeletClientInfo:
-  ca: "" # kubelet uses self-signed serving certs. TODO: fix kubelet pki
-`))
-
-	// KubeControllerManagerConfigOverridesTemplate are overrides that the installer passes to the default config of the
-	// kube-controller-manager rendered by the cluster-kube-controller-manager-operator.
-	KubeControllerManagerConfigOverridesTemplate = template.Must(template.New("kube-controller-manager-config-overrides.yaml").Parse(`
-apiVersion: kubecontrolplane.config.openshift.io/v1
-kind: KubeControllerManagerConfig
-`))
-)
diff --git a/data/data/bootstrap/files/usr/local/bin/report-progress.sh b/data/data/bootstrap/files/usr/local/bin/report-progress.sh
new file mode 100755
index 00000000000..58d9a966420
--- /dev/null
+++ b/data/data/bootstrap/files/usr/local/bin/report-progress.sh
@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+set -e
+
+KUBECONFIG="${1}"
+NAME="${2}"
+MESSAGE="${3}"
+TIMESTAMP="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+
+echo "Reporting install progress..."
+
+oc --config="$KUBECONFIG" create -f - <<EOF
+apiVersion: v1
+kind: Event
+metadata:
+  name: "${NAME}"
+  namespace: kube-system
+involvedObject:
+  namespace: kube-system
+message: "${MESSAGE}"
+firstTimestamp: "${TIMESTAMP}"
+lastTimestamp: "${TIMESTAMP}"
+count: 1
+source:
+  component: cluster
+  host: $(hostname)
+EOF
diff --git a/pkg/asset/ignition/bootstrap/content/tectonic.go b/data/data/bootstrap/files/usr/local/bin/tectonic.sh
old mode 100644
new mode 100755
similarity index 71%
rename from pkg/asset/ignition/bootstrap/content/tectonic.go
rename to data/data/bootstrap/files/usr/local/bin/tectonic.sh
index 906dd6291ca..7c94be97ca6
--- a/pkg/asset/ignition/bootstrap/content/tectonic.go
+++ b/data/data/bootstrap/files/usr/local/bin/tectonic.sh
@@ -1,25 +1,4 @@
-package content
-
-const (
-	// TectonicSystemdContents is a service that runs tectonic on the masters.
-	TectonicSystemdContents = `
-[Unit]
-Description=Bootstrap a Tectonic cluster
-Wants=bootkube.service
-After=bootkube.service
-ConditionPathExists=!/opt/tectonic/.tectonic.done
-
-[Service]
-WorkingDirectory=/opt/tectonic/tectonic
-ExecStart=/usr/local/bin/tectonic.sh /opt/tectonic/auth/kubeconfig
-
-Restart=on-failure
-RestartSec=5s
-`
-
-	// TectonicShFileContents is a script file for running tectonic on bootstrap
-	// nodes.
-	TectonicShFileContents = `#!/usr/bin/env bash
+#!/usr/bin/env bash
 set -e
 
 KUBECONFIG="$1"
@@ -93,5 +72,3 @@ wait_for_pods tectonic-system
 touch /opt/tectonic/.tectonic.done
 
 echo "Tectonic installation is done"
-`
-)
diff --git a/data/data/bootstrap/systemd/units/bootkube.service b/data/data/bootstrap/systemd/units/bootkube.service
new file mode 100644
index 00000000000..237e8cdffb6
--- /dev/null
+++ b/data/data/bootstrap/systemd/units/bootkube.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Bootstrap a Kubernetes cluster
+Wants=kubelet.service
+After=kubelet.service
+ConditionPathExists=!/opt/tectonic/.bootkube.done
+
+[Service]
+WorkingDirectory=/opt/tectonic
+ExecStart=/usr/local/bin/bootkube.sh
+
+Restart=on-failure
+RestartSec=5s
diff --git a/pkg/asset/ignition/bootstrap/content/kubelet.go b/data/data/bootstrap/systemd/units/kubelet.service.template
similarity index 87%
rename from pkg/asset/ignition/bootstrap/content/kubelet.go
rename to data/data/bootstrap/systemd/units/kubelet.service.template
index 531f31cdc1c..10882bf2b3e 100644
--- a/pkg/asset/ignition/bootstrap/content/kubelet.go
+++ b/data/data/bootstrap/systemd/units/kubelet.service.template
@@ -1,9 +1,3 @@
-package content
-
-var (
-	// KubeletSystemdContents is a service for running the kubelet on the
-	// bootstrap nodes.
-	KubeletSystemdContents = `
 [Unit]
 Description=Kubernetes Kubelet
 Wants=rpc-statd.service
@@ -36,5 +30,3 @@ RestartSec=10
 
 [Install]
 WantedBy=multi-user.target
-`
-)
diff --git a/data/data/bootstrap/systemd/units/progress.service b/data/data/bootstrap/systemd/units/progress.service
new file mode 100644
index 00000000000..1faaa31006b
--- /dev/null
+++ b/data/data/bootstrap/systemd/units/progress.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=Report the completion of the cluster bootstrap process
+# Workaround for https://github.com/systemd/systemd/issues/1312
+Wants=bootkube.service tectonic.service
+After=bootkube.service tectonic.service
+
+[Service]
+# Workaround for https://github.com/systemd/systemd/issues/1312 and https://github.com/opencontainers/runc/pull/1807
+ExecStartPre=/usr/bin/test -f /opt/tectonic/.bootkube.done
+ExecStartPre=/usr/bin/test -f /opt/tectonic/.tectonic.done
+ExecStart=/usr/local/bin/report-progress.sh /opt/tectonic/auth/kubeconfig bootstrap-complete "cluster bootstrapping has completed"
+
+Restart=on-failure
+RestartSec=5s
+
+[Install]
+WantedBy=multi-user.target
diff --git a/data/data/bootstrap/systemd/units/tectonic.service b/data/data/bootstrap/systemd/units/tectonic.service
new file mode 100644
index 00000000000..bf40df31619
--- /dev/null
+++ b/data/data/bootstrap/systemd/units/tectonic.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Bootstrap a Tectonic cluster
+Wants=bootkube.service
+After=bootkube.service
+ConditionPathExists=!/opt/tectonic/.tectonic.done
+
+[Service]
+WorkingDirectory=/opt/tectonic/tectonic
+ExecStart=/usr/local/bin/tectonic.sh /opt/tectonic/auth/kubeconfig
+
+Restart=on-failure
+RestartSec=5s
diff --git a/hack/yaml-lint.sh b/hack/yaml-lint.sh
index 5441a7dbebf..455e437cb4b 100755
--- a/hack/yaml-lint.sh
+++ b/hack/yaml-lint.sh
@@ -1,7 +1,6 @@
 #!/bin/sh
-exit 0  # temporarily disable while we work out whether to drop this
 if [ "$IS_CONTAINER" != "" ]; then
-  yamllint --config-data "{extends: default, rules: {line-length: {level: warning, max: 120}}}" .
+  yamllint .
 else
   podman run --rm \
     --env IS_CONTAINER=TRUE \
diff --git a/pkg/asset/ignition/bootstrap/bootstrap.go b/pkg/asset/ignition/bootstrap/bootstrap.go
index 6719cec0ade..b5c81abdad2 100644
--- a/pkg/asset/ignition/bootstrap/bootstrap.go
+++ b/pkg/asset/ignition/bootstrap/bootstrap.go
@@ -5,7 +5,10 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
+	"io"
+	"io/ioutil"
 	"os"
+	"path"
 	"path/filepath"
 	"strings"
 	"text/template"
@@ -15,9 +18,9 @@ import (
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 
+	"github.com/openshift/installer/data"
 	"github.com/openshift/installer/pkg/asset"
 	"github.com/openshift/installer/pkg/asset/ignition"
-	"github.com/openshift/installer/pkg/asset/ignition/bootstrap/content"
 	"github.com/openshift/installer/pkg/asset/installconfig"
 	"github.com/openshift/installer/pkg/asset/kubeconfig"
 	"github.com/openshift/installer/pkg/asset/manifests"
@@ -90,19 +93,15 @@ func (a *Bootstrap) Generate(dependencies asset.Parents) error {
 		},
 	}
 
-	a.addBootstrapFiles(dependencies)
-	a.addBootkubeFiles(dependencies, templateData)
-	a.addTemporaryBootkubeFiles(templateData)
-	a.addTectonicFiles(dependencies)
-	a.addTLSCertFiles(dependencies)
-
-	a.Config.Systemd.Units = append(
-		a.Config.Systemd.Units,
-		igntypes.Unit{Name: "bootkube.service", Contents: content.BootkubeSystemdContents},
-		igntypes.Unit{Name: "tectonic.service", Contents: content.TectonicSystemdContents},
-		igntypes.Unit{Name: "progress.service", Contents: content.ReportSystemdContents, Enabled: util.BoolToPtr(true)},
-		igntypes.Unit{Name: "kubelet.service", Contents: content.KubeletSystemdContents, Enabled: util.BoolToPtr(true)},
-	)
+	err = a.addStorageFiles("/", "bootstrap/files", templateData)
+	if err != nil {
+		return err
+	}
+	err = a.addSystemdUnits("bootstrap/systemd/units", templateData)
+	if err != nil {
+		return err
+	}
+	a.addParentFiles(dependencies)
 
 	a.Config.Passwd.Users = append(
 		a.Config.Passwd.Users,
@@ -157,75 +156,141 @@ func (a *Bootstrap) getTemplateData(installConfig *types.InstallConfig, adminKub
 	}, nil
 }
 
-func (a *Bootstrap) addBootstrapFiles(dependencies asset.Parents) {
-	kubeletKubeconfig := &kubeconfig.Kubelet{}
-	dependencies.Get(kubeletKubeconfig)
+func (a *Bootstrap) addStorageFiles(base string, uri string, templateData *bootstrapTemplateData) (err error) {
+	file, err := data.Assets.Open(uri)
+	if err != nil {
+		return err
+	}
+	defer file.Close()
 
-	a.Config.Storage.Files = append(
-		a.Config.Storage.Files,
-		ignition.FileFromBytes("/etc/kubernetes/kubeconfig", 0600, kubeletKubeconfig.Files()[0].Data),
-	)
-	a.Config.Storage.Files = append(
-		a.Config.Storage.Files,
-		ignition.FileFromString("/usr/local/bin/report-progress.sh", 0555, content.ReportShFileContents),
-	)
+	info, err := file.Stat()
+	if err != nil {
+		return err
+	}
+
+	if info.IsDir() {
+		children, err := file.Readdir(0)
+		if err != nil {
+			return err
+		}
+		file.Close()
+
+		for _, childInfo := range children {
+			name := childInfo.Name()
+			err = a.addStorageFiles(path.Join(base, name), path.Join(uri, name), templateData)
+			if err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+
+	name := info.Name()
+	_, data, err := readFile(name, file, templateData)
+	if err != nil {
+		return err
+	}
+
+	var mode int
+	if path.Base(path.Dir(uri)) == "bin" {
+		mode = 0555
+	} else {
+		mode = 0600
+	}
+	ign := ignition.FileFromBytes(strings.TrimSuffix(base, ".template"), mode, data)
+	a.Config.Storage.Files = append(a.Config.Storage.Files, ign)
+
+	return nil
 }
 
-func (a *Bootstrap) addBootkubeFiles(dependencies asset.Parents, templateData *bootstrapTemplateData) {
-	bootkubeConfigOverridesDir := filepath.Join(rootDir, "bootkube-config-overrides")
-	adminKubeconfig := &kubeconfig.Admin{}
-	manifests := &manifests.Manifests{}
-	dependencies.Get(adminKubeconfig, manifests)
+func (a *Bootstrap) addSystemdUnits(uri string, templateData *bootstrapTemplateData) (err error) {
+	enabled := map[string]bool{
+		"progress.service": true,
+		"kubelet.service":  true,
+	}
 
-	a.Config.Storage.Files = append(
-		a.Config.Storage.Files,
-		ignition.FileFromString("/usr/local/bin/bootkube.sh", 0555, applyTemplateData(content.BootkubeShFileTemplate, templateData)),
-	)
-	for _, o := range content.BootkubeConfigOverrides {
-		a.Config.Storage.Files = append(
-			a.Config.Storage.Files,
-			ignition.FileFromString(filepath.Join(bootkubeConfigOverridesDir, o.Name()), 0600, applyTemplateData(o, templateData)),
-		)
+	directory, err := data.Assets.Open(uri)
+	if err != nil {
+		return err
 	}
-	a.Config.Storage.Files = append(
-		a.Config.Storage.Files,
-		ignition.FilesFromAsset(rootDir, 0600, adminKubeconfig)...,
-	)
-	a.Config.Storage.Files = append(
-		a.Config.Storage.Files,
-		ignition.FilesFromAsset(rootDir, 0644, manifests)...,
-	)
+	defer directory.Close()
+
+	children, err := directory.Readdir(0)
+	if err != nil {
+		return err
+	}
+
+	for _, childInfo := range children {
+		name := childInfo.Name()
+		file, err := data.Assets.Open(path.Join(uri, name))
+		if err != nil {
+			return err
+		}
+		defer file.Close()
+
+		name, data, err := readFile(name, file, templateData)
+		if err != nil {
+			return err
+		}
+
+		unit := igntypes.Unit{Name: name, Contents: string(data)}
+		if _, ok := enabled[name]; ok {
+			unit.Enabled = util.BoolToPtr(true)
+		}
+		a.Config.Systemd.Units = append(a.Config.Systemd.Units, unit)
+	}
+
+	return nil
 }
 
-func (a *Bootstrap) addTemporaryBootkubeFiles(templateData *bootstrapTemplateData) {
-	kubeProxyBootstrapDir := filepath.Join(rootDir, "kube-proxy-operator-bootstrap")
-	for name, data := range content.KubeProxyBootkubeManifests {
-		a.Config.Storage.Files = append(
-			a.Config.Storage.Files,
-			ignition.FileFromString(filepath.Join(kubeProxyBootstrapDir, name), 0644, data),
-		)
+// Read data from the string reader, and, if the name ends with
+// '.template', strip that extension from the name and render the
+// template.
+func readFile(name string, reader io.Reader, templateData interface{}) (finalName string, data []byte, err error) {
+	data, err = ioutil.ReadAll(reader)
+	if err != nil {
+		return name, []byte{}, err
+	}
+
+	if filepath.Ext(name) == ".template" {
+		name = strings.TrimSuffix(name, ".template")
+		tmpl := template.New(name)
+		tmpl, err := tmpl.Parse(string(data))
+		if err != nil {
+			return name, data, err
+		}
+		stringData := applyTemplateData(tmpl, templateData)
+		data = []byte(stringData)
 	}
-	a.Config.Storage.Files = append(
-		a.Config.Storage.Files,
-		ignition.FileFromString(filepath.Join(kubeProxyBootstrapDir, "kube-proxy-kubeconfig.yaml"), 0644, applyTemplateData(content.BootkubeKubeProxyKubeConfig, templateData)),
-	)
+
+	return name, data, nil
 }
 
-func (a *Bootstrap) addTectonicFiles(dependencies asset.Parents) {
+func (a *Bootstrap) addParentFiles(dependencies asset.Parents) {
+	adminKubeconfig := &kubeconfig.Admin{}
+	kubeletKubeconfig := &kubeconfig.Kubelet{}
+	mfsts := &manifests.Manifests{}
 	tectonic := &manifests.Tectonic{}
-	dependencies.Get(tectonic)
+	dependencies.Get(adminKubeconfig, kubeletKubeconfig, mfsts, tectonic)
 
 	a.Config.Storage.Files = append(
 		a.Config.Storage.Files,
-		ignition.FileFromString("/usr/local/bin/tectonic.sh", 0555, content.TectonicShFileContents),
+		ignition.FilesFromAsset(rootDir, 0600, adminKubeconfig)...,
+	)
+	a.Config.Storage.Files = append(
+		a.Config.Storage.Files,
+		ignition.FileFromBytes("/etc/kubernetes/kubeconfig", 0600, kubeletKubeconfig.Files()[0].Data),
+		ignition.FileFromBytes("/var/lib/kubelet/kubeconfig", 0600, kubeletKubeconfig.Files()[0].Data),
+	)
+	a.Config.Storage.Files = append(
+		a.Config.Storage.Files,
+		ignition.FilesFromAsset(rootDir, 0644, mfsts)...,
 	)
 	a.Config.Storage.Files = append(
 		a.Config.Storage.Files,
 		ignition.FilesFromAsset(rootDir, 0644, tectonic)...,
 	)
-}
 
-func (a *Bootstrap) addTLSCertFiles(dependencies asset.Parents) {
 	for _, asset := range []asset.WritableAsset{
 		&tls.RootCA{},
 		&tls.KubeCA{},
diff --git a/pkg/asset/ignition/bootstrap/content/bootkube_temporary.go b/pkg/asset/ignition/bootstrap/content/bootkube_temporary.go
deleted file mode 100644
index 92117fdb2bf..00000000000
--- a/pkg/asset/ignition/bootstrap/content/bootkube_temporary.go
+++ /dev/null
@@ -1,127 +0,0 @@
-package content
-
-import "text/template"
-
-// KubeProxyBootkubeManifests is a map of manifests needed by kube-proxy to install.
-// TODO: This must move to networking operator renderer.
-var KubeProxyBootkubeManifests = map[string]string{
-	"kube-proxy-kube-system-rbac-role-binding.yaml": bootkubeKubeSystemRBACRoleBinding,
-	"kube-proxy-role-binding.yaml":                  bootkubeKubeProxyRoleBinding,
-	"kube-proxy-service-account.yaml":               bootkubeKubeProxySA,
-	"kube-proxy-daemonset.yaml":                     bootkubeKubeProxyDaemonset,
-}
-
-// BootkubeKubeProxyKubeConfig is a template for kube-proxy-kubeconfig secret.
-var (
-	BootkubeKubeProxyKubeConfig = template.Must(template.New("kube-proxy-kubeconfig").Parse(`
-apiVersion: v1
-kind: Secret
-metadata:
-  name: kube-proxy-kubeconfig
-  namespace: kube-system
-data:
-  kubeconfig: {{ .AdminKubeConfigBase64 }}
-`))
-)
-
-const (
-	bootkubeKubeSystemRBACRoleBinding = `
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: system:default-sa
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-- kind: ServiceAccount
-  name: default
-  namespace: kube-system
-`
-
-	bootkubeKubeProxySA = `
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  namespace: kube-system
-  name: kube-proxy
-`
-
-	bootkubeKubeProxyDaemonset = `
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  labels:
-    k8s-app: kube-proxy
-    tier: node
-  name: kube-proxy
-  namespace: kube-system
-spec:
-  selector:
-    matchLabels:
-      k8s-app: kube-proxy
-      tier: node
-  template:
-    metadata:
-      labels:
-        k8s-app: kube-proxy
-        tier: node
-    spec:
-      containers:
-      - command:
-        - ./hyperkube
-        - proxy
-        - --cluster-cidr=10.3.0.0/16
-        - --hostname-override=$(NODE_NAME)
-        - --kubeconfig=/etc/kubernetes/kubeconfig
-        - --proxy-mode=iptables
-        env:
-        - name: NODE_NAME
-          valueFrom:
-            fieldRef:
-              fieldPath: spec.nodeName
-        image: quay.io/coreos/hyperkube:v1.9.3_coreos.0
-        name: kube-proxy
-        securityContext:
-          privileged: true
-        volumeMounts:
-        - mountPath: /etc/ssl/certs
-          name: ssl-certs-host
-          readOnly: true
-        - mountPath: /etc/kubernetes
-          name: kubeconfig
-          readOnly: true
-      hostNetwork: true
-      serviceAccountName: kube-proxy
-      tolerations:
-      - operator: Exists
-      volumes:
-      - hostPath:
-          path: /etc/ssl/certs
-        name: ssl-certs-host
-      - name: kubeconfig
-        secret:
-          defaultMode: 420
-          secretName: kube-proxy-kubeconfig
-  updateStrategy:
-    rollingUpdate:
-      maxUnavailable: 1
-    type: RollingUpdate
-`
-
-	bootkubeKubeProxyRoleBinding = `
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: kube-proxy
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:node-proxier # Automatically created system role.
-subjects:
-- kind: ServiceAccount
-  name: kube-proxy
-  namespace: kube-system
-`
-)
diff --git a/pkg/asset/ignition/bootstrap/content/doc.go b/pkg/asset/ignition/bootstrap/content/doc.go
deleted file mode 100644
index 9dceac33402..00000000000
--- a/pkg/asset/ignition/bootstrap/content/doc.go
+++ /dev/null
@@ -1,3 +0,0 @@
-// Package content contains the contents of files and systemd units to be added
-// to bootstrap Ignition configs.
-package content
diff --git a/pkg/asset/ignition/bootstrap/content/report.go b/pkg/asset/ignition/bootstrap/content/report.go
deleted file mode 100644
index 76e36c55aa3..00000000000
--- a/pkg/asset/ignition/bootstrap/content/report.go
+++ /dev/null
@@ -1,54 +0,0 @@
-package content
-
-const (
-	// ReportSystemdContents is a service that reports the bootstrap progress
-	// via a Kubernetes Event.
-	ReportSystemdContents = `
-[Unit]
-Description=Report the completion of the cluster bootstrap process
-# Workaround for https://github.com/systemd/systemd/issues/1312
-Wants=bootkube.service tectonic.service
-After=bootkube.service tectonic.service
-
-[Service]
-# Workaround for https://github.com/systemd/systemd/issues/1312 and https://github.com/opencontainers/runc/pull/1807
-ExecStartPre=/usr/bin/test -f /opt/tectonic/.bootkube.done
-ExecStartPre=/usr/bin/test -f /opt/tectonic/.tectonic.done
-ExecStart=/usr/local/bin/report-progress.sh /opt/tectonic/auth/kubeconfig bootstrap-complete "cluster bootstrapping has completed"
-
-Restart=on-failure
-RestartSec=5s
-
-[Install]
-WantedBy=multi-user.target
-`
-
-	// ReportShFileContents is a script for reporting the bootstrap progress.
-	ReportShFileContents = `#!/usr/bin/env bash
-set -e
-
-KUBECONFIG="${1}"
-NAME="${2}"
-MESSAGE="${3}"
-TIMESTAMP="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
-
-echo "Reporting install progress..."
-
-oc --config="$KUBECONFIG" create -f - <<EOF
-apiVersion: v1
-kind: Event
-metadata:
-  name: "${NAME}"
-  namespace: kube-system
-involvedObject:
-  namespace: kube-system
-message: "${MESSAGE}"
-firstTimestamp: "${TIMESTAMP}"
-lastTimestamp: "${TIMESTAMP}"
-count: 1
-source:
-  component: cluster
-  host: $(hostname)
-EOF
-`
-)