diff --git a/.circleci/Makefile b/.circleci/Makefile
index c4f5057f..35b39ca5 100644
--- a/.circleci/Makefile
+++ b/.circleci/Makefile
@@ -1,5 +1,4 @@
 HELM_VERSION ?= v3.5.3
-HELM2_VERSION ?= v2.17.0
 KUSTOMIZE_VERSION ?= v3.8.8
 K8S_VERSION ?= v1.13.12
 MINIKUBE_VERSION ?= v0.30.0
@@ -15,7 +14,6 @@ VAULT_TOKEN := toor
 
 tmp := $(shell mktemp -d)
 HELM_FILENAME := helm-${HELM_VERSION}-linux-amd64.tar.gz
-HELM2_FILENAME := helm-${HELM2_VERSION}-linux-amd64.tar.gz
 KUSTOMIZE_FILENAME := kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz
 
 
@@ -28,13 +26,6 @@ helm:
 	sudo mv ${tmp}/linux-amd64/helm /usr/local/bin/
 .PHONY: helm
 
-helm2:
-	curl -sSLo $(tmp)/${HELM2_FILENAME} "https://kubernetes-helm.storage.googleapis.com/${HELM2_FILENAME}"
-	tar zxf $(tmp)/${HELM2_FILENAME} --directory ${tmp} linux-amd64/helm
-	chmod +x ${tmp}/linux-amd64/helm
-	sudo mv ${tmp}/linux-amd64/helm /usr/local/bin/
-.PHONY: helm2
-
 kustomize:
 	curl -sSLo $(tmp)/${KUSTOMIZE_FILENAME} "https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2F${KUSTOMIZE_VERSION}/${KUSTOMIZE_FILENAME}"
 	tar zxf $(tmp)/${KUSTOMIZE_FILENAME} --directory ${tmp} kustomize
diff --git a/.circleci/config.yml b/.circleci/config.yml
index 425479fe..da25a066 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -42,7 +42,7 @@ jobs:
           go mod vendor
           ORG=roboll BUILD_URL="$CIRCLE_BUILD_URL" make image
 
-  image_helm3:
+  image_debian:
     docker:
     - image: circleci/golang:1.16.3
     working_directory: /home/circleci/workspace/helmfile
@@ -57,7 +57,7 @@ jobs:
         command: |
           make tools
           go mod vendor
-          ORG=roboll BUILD_URL="$CIRCLE_BUILD_URL" make image/helm3
+          ORG=roboll BUILD_URL="$CIRCLE_BUILD_URL" make image/debian
 
   test:
     environment:
@@ -135,7 +135,7 @@ jobs:
           docker login -u="$DOCKER_USER" -p="$DOCKER_PASS" quay.io
           make tools
           go mod vendor
-          ORG=roboll BUILD_URL="$CIRCLE_BUILD_URL" make push push/helm3 release
+          ORG=roboll BUILD_URL="$CIRCLE_BUILD_URL" make push push/debian release
 
 workflows:
   version: 2
@@ -143,14 +143,14 @@ workflows:
     jobs:
       - build
       - image
-      - image_helm3
+      - image_debian
       - test
       - integration_tests:
           requires:
             - build
           matrix:
             parameters:
-              helm-version: ["v2.17.0", "v3.4.2", "v3.5.4"]
+              helm-version: ["v2.17.0", "v3.4.2", "v3.5.4", "v3.6.3"]
       - release:
           filters:
             branches:
diff --git a/Dockerfile b/Dockerfile
index 65813f94..8b4959a3 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -11,17 +11,17 @@ FROM alpine:3.11
 
 RUN apk add --no-cache ca-certificates git bash curl jq
 
-ARG HELM_VERSION="v2.17.0"
-ARG HELM_LOCATION="https://kubernetes-helm.storage.googleapis.com"
+ARG HELM_VERSION="v3.6.3"
+ARG HELM_SHA256="07c100849925623dc1913209cd1a30f0a9b80a5b4d6ff2153c609d11b043e262"
+ARG HELM_LOCATION="https://get.helm.sh"
 ARG HELM_FILENAME="helm-${HELM_VERSION}-linux-amd64.tar.gz"
-ARG HELM_SHA256="f3bec3c7c55f6a9eb9e6586b8c503f370af92fe987fcbf741f37707606d70296"
+
 RUN set -x && \
     wget ${HELM_LOCATION}/${HELM_FILENAME} && \
     echo Verifying ${HELM_FILENAME}... && \
     sha256sum ${HELM_FILENAME} | grep -q "${HELM_SHA256}" && \
     echo Extracting ${HELM_FILENAME}... && \
     tar zxvf ${HELM_FILENAME} && mv /linux-amd64/helm /usr/local/bin/ && \
-    mv /linux-amd64/tiller /usr/local/bin/ && \
     rm ${HELM_FILENAME} && rm -r /linux-amd64
 
 # using the install documentation found at https://kubernetes.io/docs/tasks/tools/install-kubectl/
@@ -29,21 +29,28 @@ RUN set -x && \
 # we should be able to install using apk add.
 # the sha256 sum can be found at https://storage.googleapis.com/kubernetes-release/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl.sha256
 # maybe a good idea to automate in the future?
-ENV KUBECTL_VERSION="v1.18.9"
-ENV KUBECTL_SHA256="6a68756a2d3d04b4d0f52b00de6493ba2c1fcb28b32f3e4a0e99b3d9f6c4e8ed"
-RUN set -x & \
+ENV KUBECTL_VERSION="v1.21.4"
+ENV KUBECTL_SHA256="9410572396fb31e49d088f9816beaebad7420c7686697578691be1651d3bf85a"
+RUN set -x && \
     curl --retry 5 --retry-connrefused -LO "https://storage.googleapis.com/kubernetes-release/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl" && \
     sha256sum kubectl | grep ${KUBECTL_SHA256} && \
     chmod +x kubectl && \
     mv kubectl /usr/local/bin/kubectl
 
-RUN ["helm", "init", "--client-only", "--stable-repo-url", "https://charts.helm.sh/stable"]
-RUN helm plugin install https://github.com/databus23/helm-diff && \
-    helm plugin install https://github.com/futuresimple/helm-secrets && \
-    helm plugin install https://github.com/hypnoglow/helm-s3.git && \
-    helm plugin install https://github.com/aslafy-z/helm-git.git && \
-    helm plugin install https://github.com/rimusz/helm-tiller
+ENV KUSTOMIZE_VERSION="v3.8.8"
+ENV KUSTOMIZE_SHA256="175938206f23956ec18dac3da0816ea5b5b485a8493a839da278faac82e3c303"
+RUN set -x && \
+    curl --retry 5 --retry-connrefused -LO https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/${KUSTOMIZE_VERSION}/kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz && \
+    sha256sum kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz | grep ${KUSTOMIZE_SHA256} && \
+    tar zxf kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz && \
+    rm kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz && \
+    mv kustomize /usr/local/bin/kustomize
+
+RUN helm plugin install https://github.com/databus23/helm-diff --version v3.1.3 && \
+    helm plugin install https://github.com/jkroepke/helm-secrets --version v3.5.0 && \
+    helm plugin install https://github.com/hypnoglow/helm-s3.git --version v0.10.0 && \
+    helm plugin install https://github.com/aslafy-z/helm-git.git --version v0.10.0
 
 COPY --from=builder /workspace/helmfile/dist/helmfile_linux_amd64 /usr/local/bin/helmfile
 
-CMD ["/usr/local/bin/helmfile", "--help"]
+CMD ["/usr/local/bin/helmfile"]
diff --git a/Dockerfile.debian b/Dockerfile.debian
new file mode 100644
index 00000000..602d0ccc
--- /dev/null
+++ b/Dockerfile.debian
@@ -0,0 +1,70 @@
+FROM golang:1.16.7 as builder
+
+RUN apt-get update \
+ && apt-get install --no-install-recommends -y \
+    build-essential \
+    git \
+ && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /workspace/helmfile
+COPY . /workspace/helmfile
+
+RUN make static-linux
+
+# -----------------------------------------------------------------------------
+
+FROM debian:stable-slim
+
+RUN apt-get update \ 
+ && apt-get install -y --no-install-recommends \
+    ca-certificates  \
+    git \
+    bash \
+    curl \
+    jq \
+    wget \
+ && rm -rf /var/lib/apt/lists/* 
+
+ARG HELM_VERSION="v3.6.3"
+ARG HELM_SHA256="07c100849925623dc1913209cd1a30f0a9b80a5b4d6ff2153c609d11b043e262"
+ARG HELM_LOCATION="https://get.helm.sh"
+ARG HELM_FILENAME="helm-${HELM_VERSION}-linux-amd64.tar.gz"
+
+RUN set -x && \
+    wget "${HELM_LOCATION}/${HELM_FILENAME}" && \
+    echo "Verifying ${HELM_FILENAME}..." && \
+    sha256sum "${HELM_FILENAME}" | grep -q "${HELM_SHA256}" && \
+    echo "Extracting ${HELM_FILENAME}..." && \
+    tar zxvf "${HELM_FILENAME}" && mv /linux-amd64/helm /usr/local/bin/ && \
+    rm ${HELM_FILENAME} && rm -r /linux-amd64
+
+# using the install documentation found at https://kubernetes.io/docs/tasks/tools/install-kubectl/
+# for now but in a future version of alpine (in the testing version at the time of writing)
+# we should be able to install using apk add.
+# the sha256 sum can be found at https://storage.googleapis.com/kubernetes-release/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl.sha256
+# maybe a good idea to automate in the future?
+ENV KUBECTL_VERSION="v1.21.4"
+ENV KUBECTL_SHA256="9410572396fb31e49d088f9816beaebad7420c7686697578691be1651d3bf85a"
+RUN set -x && \
+    wget "https://storage.googleapis.com/kubernetes-release/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl" && \
+    sha256sum kubectl | grep ${KUBECTL_SHA256} && \
+    chmod +x kubectl && \
+    mv kubectl /usr/local/bin/kubectl
+
+ENV KUSTOMIZE_VERSION="v3.8.8"
+ENV KUSTOMIZE_SHA256="175938206f23956ec18dac3da0816ea5b5b485a8493a839da278faac82e3c303"
+RUN set -x && \
+    curl --retry 5 --retry-connrefused -LO https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/${KUSTOMIZE_VERSION}/kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz && \
+    sha256sum kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz | grep ${KUSTOMIZE_SHA256} && \
+    tar zxf kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz && \
+    rm kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz && \
+    mv kustomize /usr/local/bin/kustomize
+
+RUN helm plugin install https://github.com/databus23/helm-diff --version v3.1.3 && \
+    helm plugin install https://github.com/jkroepke/helm-secrets --version v3.5.0 && \
+    helm plugin install https://github.com/hypnoglow/helm-s3.git --version v0.10.0 && \
+    helm plugin install https://github.com/aslafy-z/helm-git.git --version v0.10.0
+
+COPY --from=builder /workspace/helmfile/dist/helmfile_linux_amd64 /usr/local/bin/helmfile
+
+CMD ["/usr/local/bin/helmfile"]
diff --git a/Makefile b/Makefile
index 9d7f6a63..6fa40779 100644
--- a/Makefile
+++ b/Makefile
@@ -71,11 +71,11 @@ run: image
 push: image
 	docker push quay.io/${ORG}/helmfile:${TAG}
 
-image/helm3:
-	docker build -f Dockerfile.helm3 -t quay.io/${ORG}/helmfile:helm3-${TAG} .
+image/debian:
+	docker build -f Dockerfile.debian -t quay.io/${ORG}/helmfile:${TAG}-stable-slim .
 
-push/helm3: image/helm3
-	docker push quay.io/${ORG}/helmfile:helm3-${TAG}
+push/debian: image/debian
+	docker push quay.io/${ORG}/helmfile:${TAG}-stable-slim
 
 tools:
 	go get -u github.com/tcnksm/ghr github.com/mitchellh/gox