diff --git a/.github/workflows/canary_images.yaml b/.github/workflows/canary_images.yaml
index a7bdf921..c9f36591 100644
--- a/.github/workflows/canary_images.yaml
+++ b/.github/workflows/canary_images.yaml
@@ -4,6 +4,9 @@ on:
   push:
     branches:
       - main
+      - "image/**"
+      - "*image"
+      - "image*"
     paths-ignore:
       - .github/workflows/ci.yml
       - .github/workflows/lock.yml
@@ -15,7 +18,29 @@ on:
       - "Makefile"
 
 jobs:
+  build-test:
+    if: ${{ github.ref != 'refs/heads/main' }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    name: Build Images
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Build
+        uses: docker/build-push-action@v2
+        strategy:
+          matrix:
+           include:
+             - dockerfile: Dockerfile
+             - dockerfile: Dockerfile.debian
+        with:
+          file: ${{ matrix.dockerfile }}
+          platforms: linux/amd64,linux/arm64
+
   build:
+    if: ${{ github.ref == 'refs/heads/main' }}
     runs-on: ubuntu-latest
     permissions:
       contents: read
diff --git a/Dockerfile b/Dockerfile
index 0880ba50..188be200 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,7 +1,11 @@
-FROM golang:1.18-alpine as builder
+FROM golang:1.18.0-alpine as builder
 
 RUN apk add --no-cache make git
 WORKDIR /workspace/helmfile
+
+COPY go.mod go.sum /workspace/helmfile/
+RUN go mod download
+
 COPY . /workspace/helmfile
 RUN make static-linux
 
@@ -44,10 +48,24 @@ ENV KUSTOMIZE_SHA256="175938206f23956ec18dac3da0816ea5b5b485a8493a839da278faac82
 RUN set -x && \
     curl --retry 5 --retry-connrefused -LO https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/${KUSTOMIZE_VERSION}/kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz && \
     sha256sum kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz | grep ${KUSTOMIZE_SHA256} && \
-    tar zxf kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz && \
+    tar zxvf kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz && \
     rm kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz && \
     mv kustomize /usr/local/bin/kustomize
 
+ENV SOPS_VERSION="v3.7.2"
+RUN set -x && \
+    curl --retry 5 --retry-connrefused -LO https://github.com/mozilla/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION}.linux.amd64 && \
+    chmod +x sops-${SOPS_VERSION}.linux.amd64  && \
+    mv sops-${SOPS_VERSION}.linux.amd64 /usr/local/bin/sops
+
+ENV AGE_VERSION="v1.0.0"
+RUN set -x && \
+    curl --retry 5 --retry-connrefused -LO https://github.com/FiloSottile/age/releases/download/${AGE_VERSION}/age-${AGE_VERSION}-linux-amd64.tar.gz && \
+    tar zxvf age-${AGE_VERSION}-linux-amd64.tar.gz && \
+    mv age/age /usr/local/bin/age && \
+    mv age/age-keygen /usr/local/bin/age-keygen && \
+    rm -rf age-${AGE_VERSION}-linux-amd64.tar.gz age
+
 RUN helm plugin install https://github.com/databus23/helm-diff --version v3.3.1 && \
     helm plugin install https://github.com/jkroepke/helm-secrets --version v3.5.0 && \
     helm plugin install https://github.com/hypnoglow/helm-s3.git --version v0.10.0 && \
diff --git a/Dockerfile.debian b/Dockerfile.debian
index 8ce93271..2f252116 100644
--- a/Dockerfile.debian
+++ b/Dockerfile.debian
@@ -1,14 +1,12 @@
-FROM golang:1.17.3 as builder
-
-RUN apt-get update \
- && apt-get install --no-install-recommends -y \
-    build-essential \
-    git \
- && rm -rf /var/lib/apt/lists/*
+FROM golang:1.18.0-alpine as builder
 
+RUN apk add --no-cache make git
 WORKDIR /workspace/helmfile
-COPY . /workspace/helmfile
 
+COPY go.mod go.sum /workspace/helmfile/
+RUN go mod download
+
+COPY . /workspace/helmfile
 RUN make static-linux
 
 # -----------------------------------------------------------------------------
@@ -17,15 +15,11 @@ FROM debian:stable-slim
 
 LABEL org.opencontainers.image.source https://github.com/helmfile/helmfile
 
-RUN apt-get update \ 
- && apt-get install -y --no-install-recommends \
-    ca-certificates  \
-    git \
-    bash \
-    curl \
-    jq \
-    wget \
- && rm -rf /var/lib/apt/lists/* 
+RUN apt update -qq && \
+    apt install --no-install-recommends -y \
+      ca-certificates  \
+      git bash curl jq pip wget && \
+    rm -rf /var/lib/apt/lists/*
 
 ARG HELM_VERSION="v3.7.2"
 ARG HELM_SHA256="4ae30e48966aba5f807a4e140dad6736ee1a392940101e4d79ffb4ee86200a9e"
@@ -58,15 +52,32 @@ ENV KUSTOMIZE_SHA256="175938206f23956ec18dac3da0816ea5b5b485a8493a839da278faac82
 RUN set -x && \
     curl --retry 5 --retry-connrefused -LO https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/${KUSTOMIZE_VERSION}/kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz && \
     sha256sum kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz | grep ${KUSTOMIZE_SHA256} && \
-    tar zxf kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz && \
+    tar zxvf kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz && \
     rm kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz && \
     mv kustomize /usr/local/bin/kustomize
 
+ENV SOPS_VERSION="v3.7.2"
+RUN set -x && \
+    curl --retry 5 --retry-connrefused -LO https://github.com/mozilla/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION}.linux.amd64 && \
+    chmod +x sops-${SOPS_VERSION}.linux.amd64  && \
+    mv sops-${SOPS_VERSION}.linux.amd64  /usr/local/bin/sops
+
+ENV AGE_VERSION="v1.0.0"
+RUN set -x && \
+    curl --retry 5 --retry-connrefused -LO https://github.com/FiloSottile/age/releases/download/${AGE_VERSION}/age-${AGE_VERSION}-linux-amd64.tar.gz && \
+    tar zxvf age-${AGE_VERSION}-linux-amd64.tar.gz && \
+    mv age/age /usr/local/bin/age && \
+    mv age/age-keygen /usr/local/bin/age-keygen && \
+    rm -rf age-${AGE_VERSION}-linux-amd64.tar.gz age \
+
 RUN helm plugin install https://github.com/databus23/helm-diff --version v3.3.1 && \
     helm plugin install https://github.com/jkroepke/helm-secrets --version v3.5.0 && \
     helm plugin install https://github.com/hypnoglow/helm-s3.git --version v0.10.0 && \
     helm plugin install https://github.com/aslafy-z/helm-git.git --version v0.10.0
 
+# Allow users other than root to use helm plugins located in root home
+RUN chmod 751 /root
+
 COPY --from=builder /workspace/helmfile/dist/helmfile_linux_amd64 /usr/local/bin/helmfile
 
 CMD ["/usr/local/bin/helmfile"]
diff --git a/Dockerfile.helm3 b/Dockerfile.helm3
deleted file mode 100644
index 0f22f8ee..00000000
--- a/Dockerfile.helm3
+++ /dev/null
@@ -1,58 +0,0 @@
-FROM golang:1.17.3-alpine3.13 as builder
-
-RUN apk add --no-cache make git
-WORKDIR /workspace/helmfile
-COPY . /workspace/helmfile
-RUN make static-linux
-
-# -----------------------------------------------------------------------------
-
-FROM alpine:3.13
-
-RUN apk add --no-cache ca-certificates git bash curl jq
-
-ARG HELM_VERSION="v3.7.2"
-ARG HELM_LOCATION="https://get.helm.sh"
-ARG HELM_FILENAME="helm-${HELM_VERSION}-linux-amd64.tar.gz"
-ARG HELM_SHA256="4ae30e48966aba5f807a4e140dad6736ee1a392940101e4d79ffb4ee86200a9e"
-RUN set -x && \
-    wget ${HELM_LOCATION}/${HELM_FILENAME} && \
-    echo Verifying ${HELM_FILENAME}... && \
-    sha256sum ${HELM_FILENAME} | grep -q "${HELM_SHA256}" && \
-    echo Extracting ${HELM_FILENAME}... && \
-    tar zxvf ${HELM_FILENAME} && mv /linux-amd64/helm /usr/local/bin/ && \
-    rm ${HELM_FILENAME} && rm -r /linux-amd64
-
-# using the install documentation found at https://kubernetes.io/docs/tasks/tools/install-kubectl/
-# for now but in a future version of alpine (in the testing version at the time of writing)
-# we should be able to install using apk add.
-# the sha256 sum can be found at https://storage.googleapis.com/kubernetes-release/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl.sha256
-# maybe a good idea to automate in the future?
-ENV KUBECTL_VERSION="v1.18.9"
-ENV KUBECTL_SHA256="6a68756a2d3d04b4d0f52b00de6493ba2c1fcb28b32f3e4a0e99b3d9f6c4e8ed"
-RUN set -x && \
-    curl --retry 5 --retry-connrefused -LO "https://storage.googleapis.com/kubernetes-release/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl" && \
-    sha256sum kubectl | grep ${KUBECTL_SHA256} && \
-    chmod +x kubectl && \
-    mv kubectl /usr/local/bin/kubectl
-
-ENV KUSTOMIZE_VERSION="v3.8.8"
-ENV KUSTOMIZE_SHA256="175938206f23956ec18dac3da0816ea5b5b485a8493a839da278faac82e3c303"
-RUN set -x && \
-    curl --retry 5 --retry-connrefused -LO https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/${KUSTOMIZE_VERSION}/kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz && \
-    sha256sum kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz | grep ${KUSTOMIZE_SHA256} && \
-    tar zxf kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz && \
-    rm kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz && \
-    mv kustomize /usr/local/bin/kustomize
-
-RUN helm plugin install https://github.com/databus23/helm-diff --version v3.3.1 && \
-    helm plugin install https://github.com/jkroepke/helm-secrets --version v3.5.0 && \
-    helm plugin install https://github.com/hypnoglow/helm-s3.git --version v0.10.0 && \
-    helm plugin install https://github.com/aslafy-z/helm-git.git --version v0.10.0
-
-# Allow users other than root to use helm plugins located in root home
-RUN chmod 751 /root
-
-COPY --from=builder /workspace/helmfile/dist/helmfile_linux_amd64 /usr/local/bin/helmfile
-
-CMD ["/usr/local/bin/helmfile"]
diff --git a/Dockerfile.helm3.ubuntu b/Dockerfile.helm3.ubuntu
deleted file mode 100644
index a883c6f9..00000000
--- a/Dockerfile.helm3.ubuntu
+++ /dev/null
@@ -1,63 +0,0 @@
-FROM golang:1.17.3-buster as builder
-
-RUN apt update -qq && \
-    apt install --no-install-recommends -y make git && \
-    rm -rf /var/lib/apt/lists/*
-WORKDIR /workspace/helmfile
-COPY . /workspace/helmfile
-RUN make static-linux
-
-# -----------------------------------------------------------------------------
-
-FROM ubuntu:20.10
-
-RUN apt update -qq && \
-    apt install --no-install-recommends -y \
-    ca-certificates \
-    git bash curl jq pip wget && \
-    rm -rf /var/lib/apt/lists/*
-
-ARG HELM_VERSION="v3.7.2"
-ARG HELM_LOCATION="https://get.helm.sh"
-ARG HELM_FILENAME="helm-${HELM_VERSION}-linux-amd64.tar.gz"
-ARG HELM_SHA256="4ae30e48966aba5f807a4e140dad6736ee1a392940101e4d79ffb4ee86200a9e"
-RUN set -x && \
-    wget ${HELM_LOCATION}/${HELM_FILENAME} && \
-    echo Verifying ${HELM_FILENAME}... && \
-    sha256sum ${HELM_FILENAME} | grep -q "${HELM_SHA256}" && \
-    echo Extracting ${HELM_FILENAME}... && \
-    tar zxvf ${HELM_FILENAME} && mv /linux-amd64/helm /usr/local/bin/ && \
-    rm ${HELM_FILENAME} && rm -r /linux-amd64
-
-# using the install documentation found at https://kubernetes.io/docs/tasks/tools/install-kubectl/
-# for now but in a future version of alpine (in the testing version at the time of writing)
-# we should be able to install using apk add.
-# the sha256 sum can be found at https://storage.googleapis.com/kubernetes-release/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl.sha256
-# maybe a good idea to automate in the future?
-ENV KUBECTL_VERSION="v1.18.9"
-ENV KUBECTL_SHA256="6a68756a2d3d04b4d0f52b00de6493ba2c1fcb28b32f3e4a0e99b3d9f6c4e8ed"
-RUN set -x && \
-    curl --retry 5 --retry-connrefused -LO "https://storage.googleapis.com/kubernetes-release/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl" && \
-    sha256sum kubectl | grep ${KUBECTL_SHA256} && \
-    chmod +x kubectl && \
-    mv kubectl /usr/local/bin/kubectl
-
-ENV KUSTOMIZE_VERSION="v3.8.8"
-ENV KUSTOMIZE_SHA256="175938206f23956ec18dac3da0816ea5b5b485a8493a839da278faac82e3c303"
-RUN set -x && \
-    curl --retry 5 --retry-connrefused -LO https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/${KUSTOMIZE_VERSION}/kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz && \
-    sha256sum kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz | grep ${KUSTOMIZE_SHA256} && \
-    tar zxf kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz && \
-    rm kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz && \
-    mv kustomize /usr/local/bin/kustomize
-
-RUN pip install sops
-
-RUN helm plugin install https://github.com/databus23/helm-diff --version v3.3.1 && \
-    helm plugin install https://github.com/jkroepke/helm-secrets --version v3.5.0 && \
-    helm plugin install https://github.com/hypnoglow/helm-s3.git --version v0.10.0 && \
-    helm plugin install https://github.com/aslafy-z/helm-git.git --version v0.10.0
-
-COPY --from=builder /workspace/helmfile/dist/helmfile_linux_amd64 /usr/local/bin/helmfile
-
-CMD ["/usr/local/bin/helmfile"]
diff --git a/Dockerfile.ubuntu b/Dockerfile.ubuntu
index 4bfc5942..1de5db8f 100644
--- a/Dockerfile.ubuntu
+++ b/Dockerfile.ubuntu
@@ -1,9 +1,11 @@
-FROM golang:1.17.3-buster as builder
+FROM golang:1.18.0-alpine as builder
 
-RUN apt update -qq && \
-    apt install --no-install-recommends -y make git && \
-    rm -rf /var/lib/apt/lists/*
+RUN apk add --no-cache make git
 WORKDIR /workspace/helmfile
+
+COPY go.mod go.sum /workspace/helmfile/
+RUN go mod download
+
 COPY . /workspace/helmfile
 RUN make static-linux
 
@@ -11,23 +13,25 @@ RUN make static-linux
 
 FROM ubuntu:20.10
 
+LABEL org.opencontainers.image.source https://github.com/helmfile/helmfile
+
 RUN apt update -qq && \
     apt install --no-install-recommends -y \
-    ca-certificates \
-    git bash curl jq pip wget && \
+      ca-certificates \
+      git bash curl jq pip wget && \
     rm -rf /var/lib/apt/lists/*
 
-ARG HELM_VERSION="v2.17.0"
-ARG HELM_LOCATION="https://kubernetes-helm.storage.googleapis.com"
+ARG HELM_VERSION="v3.7.2"
+ARG HELM_SHA256="4ae30e48966aba5f807a4e140dad6736ee1a392940101e4d79ffb4ee86200a9e"
+ARG HELM_LOCATION="https://get.helm.sh"
 ARG HELM_FILENAME="helm-${HELM_VERSION}-linux-amd64.tar.gz"
-ARG HELM_SHA256="f3bec3c7c55f6a9eb9e6586b8c503f370af92fe987fcbf741f37707606d70296"
+
 RUN set -x && \
     wget ${HELM_LOCATION}/${HELM_FILENAME} && \
     echo Verifying ${HELM_FILENAME}... && \
     sha256sum ${HELM_FILENAME} | grep -q "${HELM_SHA256}" && \
     echo Extracting ${HELM_FILENAME}... && \
     tar zxvf ${HELM_FILENAME} && mv /linux-amd64/helm /usr/local/bin/ && \
-    mv /linux-amd64/tiller /usr/local/bin/ && \
     rm ${HELM_FILENAME} && rm -r /linux-amd64
 
 # using the install documentation found at https://kubernetes.io/docs/tasks/tools/install-kubectl/
@@ -35,23 +39,45 @@ RUN set -x && \
 # we should be able to install using apk add.
 # the sha256 sum can be found at https://storage.googleapis.com/kubernetes-release/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl.sha256
 # maybe a good idea to automate in the future?
-ENV KUBECTL_VERSION="v1.18.9"
-ENV KUBECTL_SHA256="6a68756a2d3d04b4d0f52b00de6493ba2c1fcb28b32f3e4a0e99b3d9f6c4e8ed"
-RUN set -x & \
+ENV KUBECTL_VERSION="v1.21.4"
+ENV KUBECTL_SHA256="9410572396fb31e49d088f9816beaebad7420c7686697578691be1651d3bf85a"
+RUN set -x && \
     curl --retry 5 --retry-connrefused -LO "https://storage.googleapis.com/kubernetes-release/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl" && \
     sha256sum kubectl | grep ${KUBECTL_SHA256} && \
     chmod +x kubectl && \
     mv kubectl /usr/local/bin/kubectl
 
-RUN pip install sops
+ENV KUSTOMIZE_VERSION="v3.8.8"
+ENV KUSTOMIZE_SHA256="175938206f23956ec18dac3da0816ea5b5b485a8493a839da278faac82e3c303"
+RUN set -x && \
+    curl --retry 5 --retry-connrefused -LO https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/${KUSTOMIZE_VERSION}/kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz && \
+    sha256sum kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz | grep ${KUSTOMIZE_SHA256} && \
+    tar zxvf kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz && \
+    rm kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz && \
+    mv kustomize /usr/local/bin/kustomize
 
-RUN ["helm", "init", "--client-only", "--stable-repo-url", "https://charts.helm.sh/stable"]
-RUN helm plugin install https://github.com/databus23/helm-diff && \
-    helm plugin install https://github.com/futuresimple/helm-secrets && \
-    helm plugin install https://github.com/hypnoglow/helm-s3.git && \
-    helm plugin install https://github.com/aslafy-z/helm-git.git && \
-    helm plugin install https://github.com/rimusz/helm-tiller
+ENV SOPS_VERSION="v3.7.2"
+RUN set -x && \
+    curl --retry 5 --retry-connrefused -LO https://github.com/mozilla/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION}.linux.amd64 && \
+    chmod +x sops-${SOPS_VERSION}.linux.amd64  && \
+    mv sops-${SOPS_VERSION}.linux.amd64  /usr/local/bin/sops \
+
+ENV AGE_VERSION="v1.0.0"
+RUN set -x && \
+    curl --retry 5 --retry-connrefused -LO https://github.com/FiloSottile/age/releases/download/${AGE_VERSION}/age-${AGE_VERSION}-linux-amd64.tar.gz && \
+    tar zxvf age-${AGE_VERSION}-linux-amd64.tar.gz && \
+    mv age/age /usr/local/bin/age && \
+    mv age/age-keygen /usr/local/bin/age-keygen && \
+    rm -rf age-${AGE_VERSION}-linux-amd64.tar.gz age \
+
+RUN helm plugin install https://github.com/databus23/helm-diff --version v3.3.1 && \
+    helm plugin install https://github.com/jkroepke/helm-secrets --version v3.5.0 && \
+    helm plugin install https://github.com/hypnoglow/helm-s3.git --version v0.10.0 && \
+    helm plugin install https://github.com/aslafy-z/helm-git.git --version v0.10.0
+
+# Allow users other than root to use helm plugins located in root home
+RUN chmod 751 /root
 
 COPY --from=builder /workspace/helmfile/dist/helmfile_linux_amd64 /usr/local/bin/helmfile
 
-CMD ["/usr/local/bin/helmfile", "--help"]
+CMD ["/usr/local/bin/helmfile"]