diff --git a/charts/kubezero-argo/README.md b/charts/kubezero-argo/README.md
index acadbe9c..f58b1ae9 100644
--- a/charts/kubezero-argo/README.md
+++ b/charts/kubezero-argo/README.md
@@ -50,7 +50,7 @@ Kubernetes: `>= 1.26.0`
 | argo-cd.dex.enabled | bool | `false` |  |
 | argo-cd.enabled | bool | `false` |  |
 | argo-cd.global.image.repository | string | `"public.ecr.aws/zero-downtime/zdt-argocd"` |  |
-| argo-cd.global.image.tag | string | `"v2.11.0"` |  |
+| argo-cd.global.image.tag | string | `"v2.11.5"` |  |
 | argo-cd.global.logging.format | string | `"json"` |  |
 | argo-cd.istio.enabled | bool | `false` |  |
 | argo-cd.istio.gateway | string | `"istio-ingress/ingressgateway"` |  |
@@ -64,7 +64,7 @@ Kubernetes: `>= 1.26.0`
 | argo-cd.repoServer.clusterRoleRules.rules[0].verbs[2] | string | `"list"` |  |
 | argo-cd.repoServer.initContainers[0].command[0] | string | `"/usr/local/bin/sa2kubeconfig.sh"` |  |
 | argo-cd.repoServer.initContainers[0].command[1] | string | `"/home/argocd/.kube/config"` |  |
-| argo-cd.repoServer.initContainers[0].image | string | `"public.ecr.aws/zero-downtime/zdt-argocd:v2.11.0"` |  |
+| argo-cd.repoServer.initContainers[0].image | string | `"{{ default .Values.global.image.repository .Values.repoServer.image.repository }}:{{ default (include \"argo-cd.defaultTag\" .) .Values.repoServer.image.tag }}"` |  |
 | argo-cd.repoServer.initContainers[0].imagePullPolicy | string | `"IfNotPresent"` |  |
 | argo-cd.repoServer.initContainers[0].name | string | `"create-kubeconfig"` |  |
 | argo-cd.repoServer.initContainers[0].securityContext.allowPrivilegeEscalation | bool | `false` |  |
diff --git a/charts/kubezero-argo/values.yaml b/charts/kubezero-argo/values.yaml
index c76ea1ec..2c953c61 100644
--- a/charts/kubezero-argo/values.yaml
+++ b/charts/kubezero-argo/values.yaml
@@ -143,8 +143,8 @@ argo-cd:
 
     initContainers:
       - name: create-kubeconfig
-        image: public.ecr.aws/zero-downtime/zdt-argocd:v2.11.0
-        imagePullPolicy: IfNotPresent
+        image: '{{ default .Values.global.image.repository .Values.repoServer.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.repoServer.image.tag }}'
+        imagePullPolicy: '{{ default .Values.global.image.imagePullPolicy .Values.repoServer.image.imagePullPolicy }}'
         command:
           - /usr/local/bin/sa2kubeconfig.sh
           - /home/argocd/.kube/config
@@ -152,14 +152,7 @@ argo-cd:
         - mountPath: /home/argocd/.kube
           name: kubeconfigs
         securityContext:
-          runAsNonRoot: true
-          readOnlyRootFilesystem: true
-          allowPrivilegeEscalation: false
-          seccompProfile:
-            type: RuntimeDefault
-          capabilities:
-            drop:
-            - ALL
+          '{{- toYaml .Values.repoServer.containerSecurityContext | nindent 4 }}'
 
   server:
     # Rename former https port to grpc, works with istio + insecure