diff --git a/charts/kubezero-argo/README.md b/charts/kubezero-argo/README.md
index e484cf82..9a816eda 100644
--- a/charts/kubezero-argo/README.md
+++ b/charts/kubezero-argo/README.md
@@ -1,6 +1,6 @@
 # kubezero-argo
 
-![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square)
+![Version: 0.4.1](https://img.shields.io/badge/Version-0.4.1-informational?style=flat-square)
 
 KubeZero Argo - Events, Workflow, CD
 
@@ -18,9 +18,9 @@ Kubernetes: `>= 1.30.0-0`
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://argoproj.github.io/argo-helm | argo-cd | 8.0.9 |
+| https://argoproj.github.io/argo-helm | argo-cd | 8.0.14 |
 | https://argoproj.github.io/argo-helm | argo-events | 2.4.15 |
-| https://argoproj.github.io/argo-helm | argocd-image-updater | 0.12.1 |
+| https://argoproj.github.io/argo-helm | argocd-image-updater | 0.12.2 |
 | https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 |
 
 ## Values
@@ -53,7 +53,7 @@ Kubernetes: `>= 1.30.0-0`
 | argo-cd.dex.enabled | bool | `false` |  |
 | argo-cd.enabled | bool | `false` |  |
 | argo-cd.global.image.repository | string | `"public.ecr.aws/zero-downtime/zdt-argocd"` |  |
-| argo-cd.global.image.tag | string | `"v3.0.3"` |  |
+| argo-cd.global.image.tag | string | `"v3.0.5"` |  |
 | argo-cd.global.logging.format | string | `"json"` |  |
 | argo-cd.global.networkPolicy.create | bool | `true` |  |
 | argo-cd.istio.enabled | bool | `false` |  |
@@ -83,8 +83,8 @@ Kubernetes: `>= 1.30.0-0`
 | argo-events.configs.jetstream.streamConfig.maxMsgs | int | `1000000` | Maximum number of messages before expiring oldest message |
 | argo-events.configs.jetstream.streamConfig.replicas | int | `1` | Number of replicas, defaults to 3 and requires minimal 3 |
 | argo-events.configs.jetstream.versions[0].configReloaderImage | string | `"natsio/nats-server-config-reloader:0.14.1"` |  |
-| argo-events.configs.jetstream.versions[0].metricsExporterImage | string | `"natsio/prometheus-nats-exporter:0.17.2"` |  |
-| argo-events.configs.jetstream.versions[0].natsImage | string | `"nats:2.11.1-scratch"` |  |
+| argo-events.configs.jetstream.versions[0].metricsExporterImage | string | `"natsio/prometheus-nats-exporter:0.17.3"` |  |
+| argo-events.configs.jetstream.versions[0].natsImage | string | `"nats:2.11.4-scratch"` |  |
 | argo-events.configs.jetstream.versions[0].startCommand | string | `"/nats-server"` |  |
 | argo-events.configs.jetstream.versions[0].version | string | `"2.10.11"` |  |
 | argo-events.enabled | bool | `false` |  |
diff --git a/charts/kubezero-argo/values.yaml b/charts/kubezero-argo/values.yaml
index 6387ef1f..ac7285a5 100644
--- a/charts/kubezero-argo/values.yaml
+++ b/charts/kubezero-argo/values.yaml
@@ -38,7 +38,7 @@ argo-cd:
       format: json
     image:
       repository: public.ecr.aws/zero-downtime/zdt-argocd
-      tag: v3.0.3
+      tag: v3.0.5
     networkPolicy:
       create: true
 
diff --git a/charts/kubezero-policy/templates/kyverno/certifcates.yaml b/charts/kubezero-policy/templates/kyverno/certifcates.yaml
new file mode 100644
index 00000000..5ff7bc0d
--- /dev/null
+++ b/charts/kubezero-policy/templates/kyverno/certifcates.yaml
@@ -0,0 +1,52 @@
+{{- if and false .Values.kyverno.enabled }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ template "kubezero-lib.fullname" . }}-admission-tls
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{ include "kubezero-lib.labels" . | nindent 4 }}
+spec:
+  secretName: {{ template "kubezero-lib.fullname" . }}-kyverno-svc.{{ .Release.Namespace }}.svc.kyverno-tls-pair
+  issuerRef:
+    name: kubezero-local-ca-issuer
+    kind: ClusterIssuer
+  duration: 8760h0m0s
+  privateKey:
+    encoding: PKCS8
+  usages:
+  - "client auth"
+  - "server auth"
+  commonName: {{ template "kubezero-lib.fullname" . }}-admission
+  dnsNames:
+  # <cluster-name>-<nodepool-component>-<index>
+    - 'kyverno-svc'
+    - 'kyverno-svc.{{ .Release.Namespace }}'
+    - 'kyverno-svc.{{ .Release.Namespace }}.svc'
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ template "kubezero-lib.fullname" . }}-cleanup-tls
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{ include "kubezero-lib.labels" . | nindent 4 }}
+spec:
+  secretName: {{ template "kubezero-lib.fullname" . }}-kyverno-cleanup-controller.{{ .Release.Namespace }}.svc.kyverno-tls-pair
+  issuerRef:
+    name: kubezero-local-ca-issuer
+    kind: ClusterIssuer
+  duration: 8760h0m0s
+  privateKey:
+    encoding: PKCS8
+  usages:
+  - "client auth"
+  - "server auth"
+  commonName: {{ template "kubezero-lib.fullname" . }}-cleanup-controller
+  dnsNames:
+  # <cluster-name>-<nodepool-component>-<index>
+    - 'kyverno-cleanup-controller'
+    - 'kyverno-cleanup-controller.{{ .Release.Namespace }}'
+    - 'kyverno-cleanup-controller.{{ .Release.Namespace }}.svc'
+{{- end }}
diff --git a/charts/kubezero/values.yaml b/charts/kubezero/values.yaml
index 9e1bc0bb..7c6db1ec 100644
--- a/charts/kubezero/values.yaml
+++ b/charts/kubezero/values.yaml
@@ -122,7 +122,7 @@ logging:
 argo:
   enabled: false
   namespace: argocd
-  targetRevision: 0.4.0
+  targetRevision: 0.4.1
   argo-cd:
     enabled: false
     istio: