diff --git a/.github/workflows/check-docs.yml b/.github/workflows/check-docs.yml
index 28949dfc..a2f009d5 100644
--- a/.github/workflows/check-docs.yml
+++ b/.github/workflows/check-docs.yml
@@ -11,7 +11,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Run Helm Docs and check the outcome
         run: |
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 990a64fb..81238a95 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -18,7 +18,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index c0e97903..5f652ccd 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -10,14 +10,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
       - name: Set up Helm
         uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
 
-      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
+      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
           python-version: '3.x'
           check-latest: true
diff --git a/charts/ctlog/Chart.yaml b/charts/ctlog/Chart.yaml
index 02cc64ed..b662f389 100644
--- a/charts/ctlog/Chart.yaml
+++ b/charts/ctlog/Chart.yaml
@@ -4,8 +4,8 @@ description: Certificate Log
 
 type: application
 
-version: 0.2.57
-appVersion: 0.7.11
+version: 0.2.59
+appVersion: 0.7.15
 
 keywords:
   - security
@@ -20,10 +20,10 @@ annotations:
   artifacthub.io/license: Apache-2.0
   artifacthub.io/images: |
     - name: ct_server
-      image: ghcr.io/sigstore/scaffolding/ct_server:v0.7.11@sha256:d6238aba1c35d3a2aae832469b20618e19a638da5f70d37791d945ce010f2027
+      image: ghcr.io/sigstore/scaffolding/ct_server:v0.7.15@sha256:49bccd7bccd31f7232265410dcc075b0e2618045bff3075afcf84e630c8b77c3
     - name: createctconfig
-      image: ghcr.io/sigstore/scaffolding/createctconfig:v0.7.11@sha256:bcab917a07bb27f847531b145679b4b9a57bcaa85bb91e0b441ae9473c24fb79
+      image: ghcr.io/sigstore/scaffolding/createctconfig:v0.7.15@sha256:f0a4c3518a2b761260a47fee126db364087b9fe2d68e773d392f9cbabdccf198
     - name: createtree
-      image: ghcr.io/sigstore/scaffolding/createtree:v0.7.11@sha256:4e3614df07561b096f1bfe1e1f79582b1545d6253bfad0f79235a1a1af74ef03
+      image: ghcr.io/sigstore/scaffolding/createtree:v0.7.15@sha256:ee42272373b46a898b21a0aea21cf703e90048e03f45a4640381b4a04735ffd8
     - name: curlimages/curl
       image: docker.io/curlimages/curl:8.10.1@sha256:d9b4541e214bcd85196d6e92e2753ac6d0ea699f0af5741f8c6cccbfcf00ef4b
diff --git a/charts/ctlog/README.md b/charts/ctlog/README.md
index 1789126c..ce865078 100644
--- a/charts/ctlog/README.md
+++ b/charts/ctlog/README.md
@@ -1,6 +1,6 @@
 # ctlog
 
-![Version: 0.2.57](https://img.shields.io/badge/Version-0.2.57-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.11](https://img.shields.io/badge/AppVersion-0.7.11-informational?style=flat-square)
+![Version: 0.2.59](https://img.shields.io/badge/Version-0.2.59-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.15](https://img.shields.io/badge/AppVersion-0.7.15-informational?style=flat-square)
 
 Certificate Log
 
@@ -24,7 +24,7 @@ Certificate Log
 | createctconfig.image.pullPolicy | string | `"IfNotPresent"` |  |
 | createctconfig.image.registry | string | `"ghcr.io"` |  |
 | createctconfig.image.repository | string | `"sigstore/scaffolding/createctconfig"` |  |
-| createctconfig.image.version | string | `"sha256:bcab917a07bb27f847531b145679b4b9a57bcaa85bb91e0b441ae9473c24fb79"` | v0.7.11 |
+| createctconfig.image.version | string | `"sha256:f0a4c3518a2b761260a47fee126db364087b9fe2d68e773d392f9cbabdccf198"` | v0.7.15 |
 | createctconfig.initContainerImage.curl.imagePullPolicy | string | `"IfNotPresent"` |  |
 | createctconfig.initContainerImage.curl.registry | string | `"docker.io"` |  |
 | createctconfig.initContainerImage.curl.repository | string | `"curlimages/curl"` |  |
@@ -51,7 +51,7 @@ Certificate Log
 | createtree.image.pullPolicy | string | `"IfNotPresent"` |  |
 | createtree.image.registry | string | `"ghcr.io"` |  |
 | createtree.image.repository | string | `"sigstore/scaffolding/createtree"` |  |
-| createtree.image.version | string | `"sha256:4e3614df07561b096f1bfe1e1f79582b1545d6253bfad0f79235a1a1af74ef03"` |  |
+| createtree.image.version | string | `"sha256:ee42272373b46a898b21a0aea21cf703e90048e03f45a4640381b4a04735ffd8"` |  |
 | createtree.name | string | `"createtree"` |  |
 | createtree.nodeSelector | object | `{}` |  |
 | createtree.securityContext.runAsNonRoot | bool | `true` |  |
@@ -73,7 +73,7 @@ Certificate Log
 | server.image.pullPolicy | string | `"IfNotPresent"` |  |
 | server.image.registry | string | `"ghcr.io"` |  |
 | server.image.repository | string | `"sigstore/scaffolding/ct_server"` |  |
-| server.image.version | string | `"sha256:d6238aba1c35d3a2aae832469b20618e19a638da5f70d37791d945ce010f2027"` |  |
+| server.image.version | string | `"sha256:49bccd7bccd31f7232265410dcc075b0e2618045bff3075afcf84e630c8b77c3"` |  |
 | server.ingress.annotations | object | `{}` |  |
 | server.ingress.className | string | `"nginx"` |  |
 | server.ingress.enabled | bool | `false` |  |
diff --git a/charts/ctlog/templates/_helpers.tpl b/charts/ctlog/templates/_helpers.tpl
index 5ff3fab7..33f1cc7f 100644
--- a/charts/ctlog/templates/_helpers.tpl
+++ b/charts/ctlog/templates/_helpers.tpl
@@ -110,15 +110,9 @@ Server Arguments
 - {{ printf "--metrics_endpoint=0.0.0.0:%d" (.Values.server.portHTTPMetrics | int) | quote }}
 - "--log_config=/ctfe-keys/config"
 - "--alsologtostderr"
-{{- if .Values.server.extraArgs -}}
-{{- range $key, $value := .Values.server.extraArgs }}
-{{- if $value }}
-- {{ printf "%v=%v" $key $value | quote }}
-{{- else }}
-- {{ printf $key | quote }}
-{{- end }}
-{{- end }}
-{{- end -}}
+{{- range .Values.server.extraArgs }}
+- {{ . | quote }}
+{{ end }}
 {{- end -}}
 
 {{/*
diff --git a/charts/ctlog/values.yaml b/charts/ctlog/values.yaml
index 0fc20688..fb794266 100644
--- a/charts/ctlog/values.yaml
+++ b/charts/ctlog/values.yaml
@@ -13,8 +13,8 @@ server:
     registry: ghcr.io
     repository: sigstore/scaffolding/ct_server
     pullPolicy: IfNotPresent
-    # v0.7.11
-    version: sha256:d6238aba1c35d3a2aae832469b20618e19a638da5f70d37791d945ce010f2027
+    # v0.7.15
+    version: sha256:49bccd7bccd31f7232265410dcc075b0e2618045bff3075afcf84e630c8b77c3
   livenessProbe:
     httpGet:
       path: /healthz
@@ -100,8 +100,8 @@ createtree:
     registry: ghcr.io
     repository: sigstore/scaffolding/createtree
     pullPolicy: IfNotPresent
-    # v0.7.11
-    version: sha256:4e3614df07561b096f1bfe1e1f79582b1545d6253bfad0f79235a1a1af74ef03
+    # v0.7.15
+    version: sha256:ee42272373b46a898b21a0aea21cf703e90048e03f45a4640381b4a04735ffd8
   ttlSecondsAfterFinished: 3600
   serviceAccount:
     create: true
@@ -132,8 +132,8 @@ createctconfig:
     registry: ghcr.io
     repository: sigstore/scaffolding/createctconfig
     pullPolicy: IfNotPresent
-    # -- v0.7.11
-    version: sha256:bcab917a07bb27f847531b145679b4b9a57bcaa85bb91e0b441ae9473c24fb79
+    # -- v0.7.15
+    version: sha256:f0a4c3518a2b761260a47fee126db364087b9fe2d68e773d392f9cbabdccf198
   fulcioURL: "http://fulcio-server.fulcio-system.svc"
   logPrefix: sigstorescaffolding
   privateKeyPasswordSecretName: ""
diff --git a/charts/fulcio/Chart.lock b/charts/fulcio/Chart.lock
index ea02f1d6..fc5a9434 100644
--- a/charts/fulcio/Chart.lock
+++ b/charts/fulcio/Chart.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: ctlog
   repository: https://sigstore.github.io/helm-charts
-  version: 0.2.57
-digest: sha256:9d3b2e53af0b40157727a7928095d92c355b08a0fa625dcf46a0cc695f78f905
-generated: "2024-09-29T17:20:25.569061877-04:00"
+  version: 0.2.59
+digest: sha256:bb907cdf05f1b8d94240217874b1497dd6456d212aa7df66d8424b3a5ca94d2b
+generated: "2024-10-31T15:31:00.446133788-04:00"
diff --git a/charts/fulcio/Chart.yaml b/charts/fulcio/Chart.yaml
index 4a3d43ab..5f66aded 100644
--- a/charts/fulcio/Chart.yaml
+++ b/charts/fulcio/Chart.yaml
@@ -5,7 +5,7 @@ description: |
 
 type: application
 
-version: 2.6.1
+version: 2.6.3
 appVersion: 1.6.4
 
 keywords:
@@ -19,7 +19,7 @@ maintainers:
 
 dependencies:
   - name: ctlog
-    version: 0.2.57
+    version: 0.2.59
     repository: https://sigstore.github.io/helm-charts
     condition: ctlog.enabled
 
@@ -29,4 +29,4 @@ annotations:
     - name: fulcio
       image: gcr.io/projectsigstore/fulcio:v1.6.4@sha256:4b2a0f0877095aa36898af70edd00568158f89e015f6bb7f02475660d0924f3b
     - name: createcerts
-      image: ghcr.io/sigstore/scaffolding/createcerts:v0.7.11@sha256:00fdcc2018c1a377eeabf840371711162fe50c31b57646bfda5ed9c0affdea9e
+      image: ghcr.io/sigstore/scaffolding/createcerts:v0.7.15@sha256:03a5725b8812a45570a1c6ed8e5df7dc2295904cd8603c7ed537d97af174d235
diff --git a/charts/fulcio/README.md b/charts/fulcio/README.md
index 202b7a34..54b4b413 100644
--- a/charts/fulcio/README.md
+++ b/charts/fulcio/README.md
@@ -2,7 +2,7 @@
 
 <!-- This README.md is generated. Please edit README.md.gotmpl -->
 
-![Version: 2.6.1](https://img.shields.io/badge/Version-2.6.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.4](https://img.shields.io/badge/AppVersion-1.6.4-informational?style=flat-square)
+![Version: 2.6.3](https://img.shields.io/badge/Version-2.6.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.4](https://img.shields.io/badge/AppVersion-1.6.4-informational?style=flat-square)
 
 Fulcio is a free code signing Certificate Authority, built to make short-lived certificates available to anyone.
 
@@ -71,7 +71,7 @@ helm uninstall [RELEASE_NAME]
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://sigstore.github.io/helm-charts | ctlog | 0.2.57 |
+| https://sigstore.github.io/helm-charts | ctlog | 0.2.59 |
 
 ## Values
 
@@ -85,7 +85,7 @@ helm uninstall [RELEASE_NAME]
 | createcerts.image.pullPolicy | string | `"IfNotPresent"` |  |
 | createcerts.image.registry | string | `"ghcr.io"` |  |
 | createcerts.image.repository | string | `"sigstore/scaffolding/createcerts"` |  |
-| createcerts.image.version | string | `"sha256:00fdcc2018c1a377eeabf840371711162fe50c31b57646bfda5ed9c0affdea9e"` |  |
+| createcerts.image.version | string | `"sha256:03a5725b8812a45570a1c6ed8e5df7dc2295904cd8603c7ed537d97af174d235"` |  |
 | createcerts.name | string | `"createcerts"` |  |
 | createcerts.nodeSelector | object | `{}` |  |
 | createcerts.replicaCount | int | `1` |  |
diff --git a/charts/fulcio/values.yaml b/charts/fulcio/values.yaml
index bdaf8285..fca42de8 100644
--- a/charts/fulcio/values.yaml
+++ b/charts/fulcio/values.yaml
@@ -123,8 +123,8 @@ createcerts:
     registry: ghcr.io
     repository: sigstore/scaffolding/createcerts
     pullPolicy: IfNotPresent
-    # v0.7.11
-    version: sha256:00fdcc2018c1a377eeabf840371711162fe50c31b57646bfda5ed9c0affdea9e
+    # v0.7.15
+    version: sha256:03a5725b8812a45570a1c6ed8e5df7dc2295904cd8603c7ed537d97af174d235
   ttlSecondsAfterFinished: 3600
   serviceAccount:
     create: true
diff --git a/charts/policy-controller/README.md b/charts/policy-controller/README.md
index 0cb4e392..d0ba680e 100644
--- a/charts/policy-controller/README.md
+++ b/charts/policy-controller/README.md
@@ -2,7 +2,7 @@
 
 <!-- This README.md is generated. Please edit README.md.gotmpl -->
 
-![Version: 0.7.0](https://img.shields.io/badge/Version-0.7.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.8.2](https://img.shields.io/badge/AppVersion-0.8.2-informational?style=flat-square)
+![Version: 0.7.2](https://img.shields.io/badge/Version-0.7.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.8.2](https://img.shields.io/badge/AppVersion-0.8.2-informational?style=flat-square)
 
 The Helm chart for Policy  Controller
 
diff --git a/charts/policy-controller/templates/webhook/deployment_webhook.yaml b/charts/policy-controller/templates/webhook/deployment_webhook.yaml
index e271098d..00b1dca4 100644
--- a/charts/policy-controller/templates/webhook/deployment_webhook.yaml
+++ b/charts/policy-controller/templates/webhook/deployment_webhook.yaml
@@ -75,6 +75,7 @@ spec:
           value: "{{ $value }}"
 {{- end }}
 {{- end }}
+        {{- if or (semverCompare ">= 1.8-0" .Chart.AppVersion) .Values.webhook.extraArgs }}
         args:
         {{- if semverCompare ">= 1.8-0" .Chart.AppVersion }}
         - -webhook-name={{ required "A valid cosign.webhookName is required" .Values.cosign.webhookName }}
@@ -84,6 +85,7 @@ spec:
         {{- range $key, $value := .Values.webhook.extraArgs }}
         - -{{ $key }}={{ $value }}
         {{- end }}
+        {{- end }}
         ports:
         - containerPort: 8443
           name: https
diff --git a/charts/policy-controller/templates/webhook/poddisruptionbudget.yaml b/charts/policy-controller/templates/webhook/poddisruptionbudget.yaml
index 2a811156..561b01aa 100644
--- a/charts/policy-controller/templates/webhook/poddisruptionbudget.yaml
+++ b/charts/policy-controller/templates/webhook/poddisruptionbudget.yaml
@@ -11,15 +11,17 @@ metadata:
     {{- toYaml . | nindent 4 }}
 {{- end }}
 {{- end }}
+  {{- with .Values.annotations }}
   annotations:
-{{- if .Values.annotations }}
-{{- with .Values.annotations }}
     {{- toYaml . | nindent 4 }}
-{{- end }}
-{{- end }}
+  {{- end }}
 spec:
+  {{- if .Values.webhook.podDisruptionBudget.minAvailable }}
   minAvailable: {{ .Values.webhook.podDisruptionBudget.minAvailable }}
+  {{- end }}
+  {{- if .Values.webhook.podDisruptionBudget.maxUnavailable }}
   maxUnavailable: {{ .Values.webhook.podDisruptionBudget.maxUnavailable }}
+  {{- end }}
   selector:
     matchLabels:
       {{- include "policy-controller.selectorLabels" . | nindent 6 }}
diff --git a/charts/policy-controller/templates/webhook/secret_certs_webhook.yaml b/charts/policy-controller/templates/webhook/secret_certs_webhook.yaml
index e0aa837e..277569e5 100644
--- a/charts/policy-controller/templates/webhook/secret_certs_webhook.yaml
+++ b/charts/policy-controller/templates/webhook/secret_certs_webhook.yaml
@@ -1,6 +1,7 @@
 apiVersion: v1
 kind: Secret
 metadata:
+  {{- if or .Values.webhook.service.annotations .Values.commonAnnotations }}
   annotations:
     {{- if .Values.webhook.service.annotations }}
     {{ toYaml .Values.webhook.service.annotations | nindent 4 }}
@@ -8,9 +9,10 @@ metadata:
     {{- if .Values.commonAnnotations }}
     {{- toYaml .Values.commonAnnotations | nindent 4 }}
     {{- end }}
+  {{- end }}
   labels:
     {{- include "policy-controller.labels" . | nindent 4 }}
     control-plane: {{ template "policy-controller.fullname" . }}-webhook
   name: webhook-certs
   namespace: {{ .Release.Namespace }}
-# The data is populated at install time.
\ No newline at end of file
+# The data is populated at install time.
diff --git a/charts/policy-controller/templates/webhook/service_webhook.yaml b/charts/policy-controller/templates/webhook/service_webhook.yaml
index 8a0e66cb..d079a210 100644
--- a/charts/policy-controller/templates/webhook/service_webhook.yaml
+++ b/charts/policy-controller/templates/webhook/service_webhook.yaml
@@ -1,10 +1,10 @@
 apiVersion: v1
 kind: Service
 metadata:
+  {{- with .Values.webhook.service.annotations }}
   annotations:
-    {{- if .Values.webhook.service.annotations }}
-    {{ toYaml .Values.webhook.service.annotations | nindent 4 }}
-    {{- end }}
+     {{- toYaml . | nindent 4 }}
+  {{- end }}
   labels:
     {{- include "policy-controller.labels" . | nindent 4 }}
     control-plane: {{ template "policy-controller.fullname" . }}-webhook
@@ -27,10 +27,10 @@ spec:
 apiVersion: v1
 kind: Service
 metadata:
+  {{- with .Values.webhook.service.annotations }}
   annotations:
-    {{- if .Values.webhook.service.annotations }}
-    {{ toYaml .Values.webhook.service.annotations | nindent 4 }}
-    {{- end }}
+     {{- toYaml . | nindent 4 }}
+  {{- end }}
   labels:
     {{- include "policy-controller.labels" . | nindent 4 }}
     control-plane: {{ template "policy-controller.fullname" . }}-webhook
diff --git a/charts/rekor/Chart.yaml b/charts/rekor/Chart.yaml
index 54a8357b..47e1e72b 100644
--- a/charts/rekor/Chart.yaml
+++ b/charts/rekor/Chart.yaml
@@ -4,7 +4,7 @@ description: Part of the sigstore project, Rekor is a timestamping server and tr
 
 type: application
 
-version: 1.5.1
+version: 1.5.2
 appVersion: 1.3.6
 
 keywords:
@@ -19,7 +19,7 @@ maintainers:
 
 dependencies:
   - name: trillian
-    version: 0.2.28
+    version: 0.2.29
     repository: https://sigstore.github.io/helm-charts
     condition: trillian.enabled
 
@@ -27,16 +27,16 @@ annotations:
   artifacthub.io/license: Apache-2.0
   artifacthub.io/images: |
     - name: createtree
-      image: ghcr.io/sigstore/scaffolding/createtree:v0.7.11@sha256:4e3614df07561b096f1bfe1e1f79582b1545d6253bfad0f79235a1a1af74ef03
+      image: ghcr.io/sigstore/scaffolding/createtree:v0.7.15@sha256:ee42272373b46a898b21a0aea21cf703e90048e03f45a4640381b4a04735ffd8
     - name: curlimages/curl
       image: docker.io/curlimages/curl:8.10.1@sha256:d9b4541e214bcd85196d6e92e2753ac6d0ea699f0af5741f8c6cccbfcf00ef4b
     - name: rekor-server
       image: gcr.io/projectsigstore/rekor-server:v1.3.6@sha256:1237f29e2105d7f5451bbe15a3aca8677ddd1bb80620ca2fd06f74262437cf51
     - name: redis
-      image: docker.io/redis:6.2.14-alpine3.20@sha256:e3b17ba9479deec4b7d1eeec1548a253acc5374d68d3b27937fcfe4df8d18c7e
+      image: docker.io/redis:6.2.16-alpine3.20@sha256:2ba50e1ac3a0ea17b736ce9db2b0a9f6f8b85d4c27d5f5accc6a416d8f42c6d5
     - name: backfill-redis
       image: ghcr.io/sigstore/rekor/backfill-redis:v1.3.6@sha256:a13cd8b2a554d6116888fd1f383cf6e91fc1716df5eda392b82e6bfc66995ec3
     - name: scaffold_cloud_proxy
-      image: ghcr.io/sigstore/scaffolding/cloudsqlproxy:v0.7.11@sha256:16364cc06de704959576b23da26798850141ecae0f70510654764467cd9f47be
+      image: ghcr.io/sigstore/scaffolding/cloudsqlproxy:v0.7.15@sha256:862598dc2457fd246dc5363e0bd21462343c89e714dbd4159e49f119e8ff5ca5
     - name: cloud_proxy
-      image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.13.0-alpine@sha256:74680d0e49d44af5b6f994a6a29712866cb95d8851b1416676313d0cf567946b
+      image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.14.0-alpine@sha256:6dc1d9ea84ff43eaeaebe51bb52de9e24dce8d8affd2fda0dc0d218897456c12
diff --git a/charts/rekor/README.md b/charts/rekor/README.md
index 88210745..4ce5a6f6 100644
--- a/charts/rekor/README.md
+++ b/charts/rekor/README.md
@@ -1,6 +1,6 @@
 # rekor
 
-![Version: 1.5.1](https://img.shields.io/badge/Version-1.5.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.6](https://img.shields.io/badge/AppVersion-1.3.6-informational?style=flat-square)
+![Version: 1.5.2](https://img.shields.io/badge/Version-1.5.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.6](https://img.shields.io/badge/AppVersion-1.3.6-informational?style=flat-square)
 
 Part of the sigstore project, Rekor is a timestamping server and transparency log for storing signatures, as well as an API based server for validation
 
@@ -20,7 +20,7 @@ Part of the sigstore project, Rekor is a timestamping server and transparency lo
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://sigstore.github.io/helm-charts | trillian | 0.2.28 |
+| https://sigstore.github.io/helm-charts | trillian | 0.2.29 |
 
 ## Values
 
@@ -48,7 +48,7 @@ Part of the sigstore project, Rekor is a timestamping server and transparency lo
 | createtree.image.pullPolicy | string | `"IfNotPresent"` |  |
 | createtree.image.registry | string | `"ghcr.io"` |  |
 | createtree.image.repository | string | `"sigstore/scaffolding/createtree"` |  |
-| createtree.image.version | string | `"sha256:4e3614df07561b096f1bfe1e1f79582b1545d6253bfad0f79235a1a1af74ef03"` |  |
+| createtree.image.version | string | `"sha256:ee42272373b46a898b21a0aea21cf703e90048e03f45a4640381b4a04735ffd8"` |  |
 | createtree.name | string | `"createtree"` |  |
 | createtree.nodeSelector | object | `{}` |  |
 | createtree.resources | object | `{}` |  |
@@ -68,7 +68,7 @@ Part of the sigstore project, Rekor is a timestamping server and transparency lo
 | initContainerResources | object | `{}` |  |
 | mysql.enabled | bool | `false` |  |
 | mysql.gcp.cloudsql.registry | string | `"gcr.io"` |  |
-| mysql.gcp.cloudsql.repository | string | `"cloud-sql-connectors/cloud-sql-proxy:2.13.0-alpine"` |  |
+| mysql.gcp.cloudsql.repository | string | `"cloud-sql-connectors/cloud-sql-proxy:2.14.0-alpine"` |  |
 | mysql.gcp.cloudsql.resources.requests.cpu | string | `"1"` |  |
 | mysql.gcp.cloudsql.resources.requests.memory | string | `"2Gi"` |  |
 | mysql.gcp.cloudsql.securityContext.allowPrivilegeEscalation | bool | `false` |  |
@@ -77,7 +77,7 @@ Part of the sigstore project, Rekor is a timestamping server and transparency lo
 | mysql.gcp.cloudsql.securityContext.runAsNonRoot | bool | `true` |  |
 | mysql.gcp.cloudsql.unixDomainSocket.enabled | bool | `false` |  |
 | mysql.gcp.cloudsql.unixDomainSocket.path | string | `"/cloudsql"` |  |
-| mysql.gcp.cloudsql.version | string | `"sha256:74680d0e49d44af5b6f994a6a29712866cb95d8851b1416676313d0cf567946b"` | crane digest gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.13.0-alpine |
+| mysql.gcp.cloudsql.version | string | `"sha256:6dc1d9ea84ff43eaeaebe51bb52de9e24dce8d8affd2fda0dc0d218897456c12"` | crane digest gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.14.0-alpine |
 | mysql.gcp.enabled | bool | `false` |  |
 | mysql.gcp.instance | string | `""` |  |
 | mysql.gcp.scaffoldSQLProxy.registry | string | `"ghcr.io"` |  |
@@ -88,7 +88,7 @@ Part of the sigstore project, Rekor is a timestamping server and transparency lo
 | mysql.gcp.scaffoldSQLProxy.securityContext.capabilities.drop[0] | string | `"ALL"` |  |
 | mysql.gcp.scaffoldSQLProxy.securityContext.readOnlyRootFilesystem | bool | `true` |  |
 | mysql.gcp.scaffoldSQLProxy.securityContext.runAsNonRoot | bool | `true` |  |
-| mysql.gcp.scaffoldSQLProxy.version | string | `"sha256:16364cc06de704959576b23da26798850141ecae0f70510654764467cd9f47be"` | v0.7.11 which is based on cloud-sql-proxy:2.13.0-alpine |
+| mysql.gcp.scaffoldSQLProxy.version | string | `"sha256:862598dc2457fd246dc5363e0bd21462343c89e714dbd4159e49f119e8ff5ca5"` | v0.7.15 which is based on cloud-sql-proxy:2.14.0-alpine |
 | mysql.hostname | string | `""` |  |
 | mysql.image.pullPolicy | string | `"IfNotPresent"` |  |
 | mysql.image.registry | string | `"gcr.io"` |  |
@@ -109,7 +109,7 @@ Part of the sigstore project, Rekor is a timestamping server and transparency lo
 | redis.image.pullPolicy | string | `"IfNotPresent"` |  |
 | redis.image.registry | string | `"docker.io"` |  |
 | redis.image.repository | string | `"redis"` |  |
-| redis.image.version | string | `"sha256:e3b17ba9479deec4b7d1eeec1548a253acc5374d68d3b27937fcfe4df8d18c7e"` | 6.2.14-alpine3.20 |
+| redis.image.version | string | `"sha256:2ba50e1ac3a0ea17b736ce9db2b0a9f6f8b85d4c27d5f5accc6a416d8f42c6d5"` | 6.2.16-alpine3.20 |
 | redis.name | string | `"redis"` |  |
 | redis.nodeSelector | object | `{}` |  |
 | redis.port | int | `6379` |  |
diff --git a/charts/rekor/values.yaml b/charts/rekor/values.yaml
index 84ff26cc..5575dd93 100644
--- a/charts/rekor/values.yaml
+++ b/charts/rekor/values.yaml
@@ -27,8 +27,8 @@ redis:
     registry: docker.io
     repository: redis
     pullPolicy: IfNotPresent
-    # -- 6.2.14-alpine3.20
-    version: "sha256:e3b17ba9479deec4b7d1eeec1548a253acc5374d68d3b27937fcfe4df8d18c7e"
+    # -- 6.2.16-alpine3.20
+    version: "sha256:2ba50e1ac3a0ea17b736ce9db2b0a9f6f8b85d4c27d5f5accc6a416d8f42c6d5"
   resources: {}
   readinessProbe:
     initialDelaySeconds: 5
@@ -64,8 +64,8 @@ mysql:
     scaffoldSQLProxy:
       registry: ghcr.io
       repository: sigstore/scaffolding/cloudsqlproxy
-      # -- v0.7.11 which is based on cloud-sql-proxy:2.13.0-alpine
-      version: sha256:16364cc06de704959576b23da26798850141ecae0f70510654764467cd9f47be
+      # -- v0.7.15 which is based on cloud-sql-proxy:2.14.0-alpine
+      version: sha256:862598dc2457fd246dc5363e0bd21462343c89e714dbd4159e49f119e8ff5ca5
       resources:
         requests:
           memory: "2Gi"
@@ -79,9 +79,9 @@ mysql:
             - ALL
     cloudsql:
       registry: gcr.io
-      repository: cloud-sql-connectors/cloud-sql-proxy:2.13.0-alpine
-      # -- crane digest gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.13.0-alpine
-      version: sha256:74680d0e49d44af5b6f994a6a29712866cb95d8851b1416676313d0cf567946b
+      repository: cloud-sql-connectors/cloud-sql-proxy:2.14.0-alpine
+      # -- crane digest gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.14.0-alpine
+      version: sha256:6dc1d9ea84ff43eaeaebe51bb52de9e24dce8d8affd2fda0dc0d218897456c12
       resources:
         requests:
           memory: "2Gi"
@@ -233,8 +233,8 @@ createtree:
     registry: ghcr.io
     repository: sigstore/scaffolding/createtree
     pullPolicy: IfNotPresent
-    # v0.7.11
-    version: sha256:4e3614df07561b096f1bfe1e1f79582b1545d6253bfad0f79235a1a1af74ef03
+    # v0.7.15
+    version: sha256:ee42272373b46a898b21a0aea21cf703e90048e03f45a4640381b4a04735ffd8
   ttlSecondsAfterFinished: 3600
   serviceAccount:
     create: true
diff --git a/charts/scaffold/Chart.lock b/charts/scaffold/Chart.lock
index a1c3ed9c..62d06b86 100644
--- a/charts/scaffold/Chart.lock
+++ b/charts/scaffold/Chart.lock
@@ -1,21 +1,21 @@
 dependencies:
 - name: fulcio
   repository: https://sigstore.github.io/helm-charts
-  version: 2.6.1
+  version: 2.6.3
 - name: rekor
   repository: https://sigstore.github.io/helm-charts
-  version: 1.5.1
+  version: 1.5.2
 - name: trillian
   repository: https://sigstore.github.io/helm-charts
-  version: 0.2.28
+  version: 0.2.29
 - name: ctlog
   repository: https://sigstore.github.io/helm-charts
-  version: 0.2.57
+  version: 0.2.59
 - name: tuf
   repository: https://sigstore.github.io/helm-charts
-  version: 0.1.18
+  version: 0.1.19
 - name: tsa
   repository: https://sigstore.github.io/helm-charts
   version: 1.0.6
-digest: sha256:e0aac105beb48cc1aa0c039e5fdb02cdf13d260e4fcaeea8573cd71693816e97
-generated: "2024-09-30T09:22:16.142095029-04:00"
+digest: sha256:f6fa77f0f3fae3257b41508614235a8186f01e4994abb3950552008f9fce38f5
+generated: "2024-10-31T15:38:02.728896868-04:00"
diff --git a/charts/scaffold/Chart.yaml b/charts/scaffold/Chart.yaml
index a3a5cdd9..b63b22a7 100644
--- a/charts/scaffold/Chart.yaml
+++ b/charts/scaffold/Chart.yaml
@@ -4,7 +4,7 @@ description: Scaffolding the components of the sigstore architecture
 
 type: application
 
-version: 0.6.62
+version: 0.6.65
 keywords:
   - security
   - pki
@@ -16,23 +16,23 @@ maintainers:
 
 dependencies:
   - name: fulcio
-    version: 2.6.1
+    version: 2.6.3
     repository: https://sigstore.github.io/helm-charts
     condition: fulcio.enabled
   - name: rekor
-    version: 1.5.1
+    version: 1.5.2
     repository: https://sigstore.github.io/helm-charts
     condition: rekor.enabled
   - name: trillian
-    version: 0.2.28
+    version: 0.2.29
     repository: https://sigstore.github.io/helm-charts
     condition: trillian.enabled
   - name: ctlog
-    version: 0.2.57
+    version: 0.2.59
     repository: https://sigstore.github.io/helm-charts
     condition: ctlog.enabled
   - name: tuf
-    version: 0.1.18
+    version: 0.1.19
     repository: https://sigstore.github.io/helm-charts
     condition: tuf.enabled
   - name: tsa
diff --git a/charts/scaffold/README.md b/charts/scaffold/README.md
index 383b8994..cd04d67c 100644
--- a/charts/scaffold/README.md
+++ b/charts/scaffold/README.md
@@ -2,7 +2,7 @@
 
 <!-- This README.md is generated. Please edit README.md.gotmpl -->
 
-![Version: 0.6.62](https://img.shields.io/badge/Version-0.6.62-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.6.65](https://img.shields.io/badge/Version-0.6.65-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 Scaffolding the components of the sigstore architecture
 
@@ -36,12 +36,12 @@ helm uninstall [RELEASE_NAME]
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://sigstore.github.io/helm-charts | ctlog | 0.2.57 |
-| https://sigstore.github.io/helm-charts | fulcio | 2.6.1 |
-| https://sigstore.github.io/helm-charts | rekor | 1.5.1 |
-| https://sigstore.github.io/helm-charts | trillian | 0.2.28 |
+| https://sigstore.github.io/helm-charts | ctlog | 0.2.59 |
+| https://sigstore.github.io/helm-charts | fulcio | 2.6.3 |
+| https://sigstore.github.io/helm-charts | rekor | 1.5.2 |
+| https://sigstore.github.io/helm-charts | trillian | 0.2.29 |
 | https://sigstore.github.io/helm-charts | tsa | 1.0.6 |
-| https://sigstore.github.io/helm-charts | tuf | 0.1.18 |
+| https://sigstore.github.io/helm-charts | tuf | 0.1.19 |
 
 ## Values
 
@@ -49,6 +49,11 @@ helm uninstall [RELEASE_NAME]
 |-----|------|---------|-------------|
 | copySecretJob.affinity | object | `{}` |  |
 | copySecretJob.backoffLimit | int | `6` |  |
+| copySecretJob.copySecretCronJob.backoffLimit | int | `2` |  |
+| copySecretJob.copySecretCronJob.enabled | bool | `false` |  |
+| copySecretJob.copySecretCronJob.failedJobsHistoryLimit | int | `1` |  |
+| copySecretJob.copySecretCronJob.schedule | string | `"*/5 * * * 1-5"` |  |
+| copySecretJob.copySecretCronJob.successfulJobsHistoryLimit | int | `1` |  |
 | copySecretJob.enabled | bool | `false` |  |
 | copySecretJob.imagePullPolicy | string | `"IfNotPresent"` |  |
 | copySecretJob.name | string | `"copy-secrets-job"` |  |
@@ -91,6 +96,30 @@ helm uninstall [RELEASE_NAME]
 | rekor.server.fullnameOverride | string | `"rekor-server"` |  |
 | rekor.tolerations | list | `[]` |  |
 | rekor.trillian.enabled | bool | `false` |  |
+| secrets.ctlog.create | bool | `false` |  |
+| secrets.ctlog.deploymentName | string | `"ctlog"` |  |
+| secrets.ctlog.key | string | `"public"` |  |
+| secrets.ctlog.name | string | `"ctlog-public-key"` |  |
+| secrets.ctlog.namespace | string | `"ctlog-system"` |  |
+| secrets.ctlog.path | string | `"ctfe.pub"` |  |
+| secrets.fulcio.create | bool | `false` |  |
+| secrets.fulcio.deploymentName | string | `"fulcio-server"` |  |
+| secrets.fulcio.key | string | `"cert"` |  |
+| secrets.fulcio.name | string | `"fulcio-server-secret"` |  |
+| secrets.fulcio.namespace | string | `"fulcio-system"` |  |
+| secrets.fulcio.path | string | `"fulcio_v1.crt.pem"` |  |
+| secrets.rekor.create | bool | `false` |  |
+| secrets.rekor.deploymentName | string | `"rekor-server"` |  |
+| secrets.rekor.key | string | `"key"` |  |
+| secrets.rekor.name | string | `"rekor-public-key"` |  |
+| secrets.rekor.namespace | string | `"rekor-system"` |  |
+| secrets.rekor.path | string | `"rekor.pub"` |  |
+| secrets.tsa.create | bool | `false` |  |
+| secrets.tsa.deploymentName | string | `"tsa-server"` |  |
+| secrets.tsa.key | string | `"cert-chain"` |  |
+| secrets.tsa.name | string | `"tsa-cert-chain"` |  |
+| secrets.tsa.namespace | string | `"tsa-system"` |  |
+| secrets.tsa.path | string | `"tsa.certchain.pem"` |  |
 | trillian.affinity | object | `{}` |  |
 | trillian.enabled | bool | `true` |  |
 | trillian.forceNamespace | string | `"trillian-system"` |  |
@@ -121,14 +150,6 @@ helm uninstall [RELEASE_NAME]
 | tuf.namespace.create | bool | `true` |  |
 | tuf.namespace.name | string | `"tuf-system"` |  |
 | tuf.nodeSelector | object | `{}` |  |
-| tuf.secrets.ctlog.name | string | `"ctlog-public-key"` |  |
-| tuf.secrets.ctlog.path | string | `"ctfe.pub"` |  |
-| tuf.secrets.fulcio.name | string | `"fulcio-server-secret"` |  |
-| tuf.secrets.fulcio.path | string | `"fulcio_v1.crt.pem"` |  |
-| tuf.secrets.rekor.name | string | `"rekor-public-key"` |  |
-| tuf.secrets.rekor.path | string | `"rekor.pub"` |  |
-| tuf.secrets.tsa.name | string | `"tsa-cert-chain"` |  |
-| tuf.secrets.tsa.path | string | `"tsa.certchain.pem"` |  |
 | tuf.tolerations | list | `[]` |  |
 
 ----------------------------------------------
diff --git a/charts/scaffold/templates/_helpers.tpl b/charts/scaffold/templates/_helpers.tpl
index 1c1c296d..608b4e81 100644
--- a/charts/scaffold/templates/_helpers.tpl
+++ b/charts/scaffold/templates/_helpers.tpl
@@ -8,4 +8,3 @@ Create the image path for the passed in image field
 {{- printf "%s/%s:%s" .registry .repository .version -}}
 {{- end -}}
 {{- end -}}
-
diff --git a/charts/scaffold/templates/clusterrole.yaml b/charts/scaffold/templates/clusterrole.yaml
index 746d2deb..c2101851 100644
--- a/charts/scaffold/templates/clusterrole.yaml
+++ b/charts/scaffold/templates/clusterrole.yaml
@@ -6,8 +6,8 @@ metadata:
 rules:
   - apiGroups: [""]
     resources: ["secrets"]
-    verbs: ["get", "create", "patch"]
+    verbs: ["get", "create", "patch"{{- if .Values.copySecretJob.copySecretCronJob.enabled }}, "delete"{{- end }}]
   - apiGroups: ["apps"]
     resources: ["deployments"]
-    verbs: ["get", "list"]
-{{- end }}
+    verbs: ["get", "list"{{- if .Values.copySecretJob.copySecretCronJob.enabled }}, "update"{{- end }}]
+{{- end }}
\ No newline at end of file
diff --git a/charts/scaffold/templates/copy-secrets-cronjob.yaml b/charts/scaffold/templates/copy-secrets-cronjob.yaml
new file mode 100644
index 00000000..b02f7452
--- /dev/null
+++ b/charts/scaffold/templates/copy-secrets-cronjob.yaml
@@ -0,0 +1,108 @@
+{{- if and .Values.copySecretJob.enabled .Values.copySecretJob.copySecretCronJob.enabled }}
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+{{ include "tuf.namespace" .Subcharts.tuf | indent 2 }}
+  name: {{ .Values.copySecretJob.name }}-scheduled
+spec:
+  schedule: "{{ .Values.copySecretJob.copySecretCronJob.schedule }}"
+  successfulJobsHistoryLimit: {{ default 2 .Values.copySecretJob.copySecretCronJob.successfulJobsHistoryLimit }}
+  failedJobsHistoryLimit: {{ default 2 .Values.copySecretJob.copySecretCronJob.failedJobsHistoryLimit }}
+  jobTemplate:
+    spec:
+      backoffLimit: {{ default 6 .Values.copySecretJob.copySecretCronJob.backoffLimit }}
+      template:
+        spec:
+          restartPolicy: OnFailure
+          serviceAccountName: {{ .Values.copySecretJob.serviceaccount }}
+          initContainers:
+          - name: wait-for-rekor-deployment-readiness
+            image: {{ template "scaffold.image" .Values.copySecretJob }}
+            imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }}
+            command: ["/bin/sh"]
+            args: [
+                "-c",
+                "kubectl rollout status deployment {{ .Values.tuf.secrets.rekor.deploymentName }} --timeout=120s -n {{ .Values.tuf.secrets.rekor.namespace }}"
+            ]
+          - name: wait-for-fulcio-deployment-readiness
+            image: {{ template "scaffold.image" .Values.copySecretJob }}
+            imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }}
+            command: ["/bin/sh"]
+            args: [
+                "-c",
+                "kubectl rollout status deployment {{ .Values.tuf.secrets.fulcio.deploymentName }} --timeout=120s -n {{ .Values.tuf.secrets.fulcio.namespace }}"
+            ]
+          - name: wait-for-ctlog-deployment-readiness
+            image: {{ template "scaffold.image" .Values.copySecretJob }}
+            imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }}
+            command: ["/bin/sh"]
+            args: [
+                "-c",
+                "kubectl rollout status deployment {{ .Values.tuf.secrets.ctlog.deploymentName }} --timeout=120s -n {{ .Values.tuf.secrets.ctlog.namespace }}"
+            ]
+          - name: wait-for-tsa-deployment-readiness
+            image: {{ template "scaffold.image" .Values.copySecretJob }}
+            imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }}
+            command: ["/bin/sh"]
+            args: [
+                "-c",
+                "kubectl rollout status deployment {{ .Values.tuf.secrets.tsa.deploymentName }} --timeout=120s -n {{ .Values.tuf.secrets.tsa.namespace }}"
+            ]
+          containers:
+          - name: copy-rekor-secret
+            image: {{ template "scaffold.image" .Values.copySecretJob }}
+            imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }}
+            command: ["/bin/sh"]
+            args: [
+                "-c",
+                "curl {{ .Values.tuf.secrets.rekor.deploymentName}}.{{ .Values.tuf.secrets.rekor.namespace }}.svc.cluster.local/api/v1/log/publicKey -o /tmp/key -v && \
+                kubectl apply -f - <<EOF\napiVersion: v1\nkind: Secret\nmetadata:\n  name: {{ .Values.tuf.secrets.rekor.name }}\n  namespace: {{ include "tuf.rawnamespace" .Subcharts.tuf }}\ndata:\n  key: $(cat /tmp/key | base64 -w 0)\nEOF\n"
+            ]
+          - name: copy-fulcio-secret
+            image: {{ template "scaffold.image" .Values.copySecretJob }}
+            imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }}
+            command: ["/bin/sh"]
+            args: [
+                "-c",
+                "kubectl -n {{ include "tuf.rawnamespace" .Subcharts.tuf }} delete secret {{ .Values.tuf.secrets.fulcio.name }} --ignore-not-found && \
+                kubectl -n {{ .Values.tuf.secrets.fulcio.namespace }} get secrets {{ .Values.tuf.secrets.fulcio.name }} -oyaml | sed 's/namespace: .*/namespace: {{ include "tuf.rawnamespace" .Subcharts.tuf }}/' | kubectl apply -f -"
+            ]
+          - name: copy-ctlog-secret
+            image: {{ template "scaffold.image" .Values.copySecretJob }}
+            imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }}
+            command: ["/bin/sh"]
+            args: [
+                "-c",
+                "kubectl -n {{ include "tuf.rawnamespace" .Subcharts.tuf }} delete secret {{ .Values.tuf.secrets.ctlog.name }} --ignore-not-found && \
+                kubectl -n {{ .Values.tuf.secrets.ctlog.namespace }} get secrets {{ .Values.tuf.secrets.ctlog.name }} -oyaml | sed 's/namespace: .*/namespace: {{ include "tuf.rawnamespace" .Subcharts.tuf }}/' | kubectl apply -f -"
+            ]
+          - name: copy-tsa-secret
+            image: {{ template "scaffold.image" .Values.copySecretJob }}
+            imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }}
+            command: ["/bin/sh"]
+            args: [
+                "-c",
+                "curl {{ .Values.tuf.secrets.tsa.deploymentName}}.{{ .Values.tuf.secrets.tsa.namespace }}.svc.cluster.local/api/v1/timestamp/certchain -o /tmp/cert-chain -v && \
+                kubectl apply -f - <<EOF\napiVersion: v1\nkind: Secret\nmetadata:\n  name: {{ .Values.tuf.secrets.tsa.name }}\n  namespace: {{ include "tuf.rawnamespace" .Subcharts.tuf }}\ndata:\n  cert-chain: $(cat /tmp/cert-chain | base64 -w 0)\nEOF\n"
+            ]
+          - name: rollout-restart-tuf
+            image: {{ template "scaffold.image" .Values.copySecretJob }}
+            imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }}
+            command: ["/bin/sh"]
+            args: [
+                "-c",
+                "kubectl -n {{ include "tuf.rawnamespace" .Subcharts.tuf }} rollout restart deployment {{ .Values.tuf.fullnameOverride}}"
+            ]
+          {{- if .Values.copySecretJob.nodeSelector }}
+          nodeSelector:
+{{ toYaml .Values.copySecretJob.nodeSelector | indent 12 }}
+          {{- end }}
+          {{- if .Values.copySecretJob.tolerations }}
+          tolerations:
+{{ toYaml .Values.copySecretJob.tolerations | indent 12 }}
+          {{- end }}
+          {{- if .Values.copySecretJob.affinity }}
+          affinity:
+{{ toYaml .Values.copySecretJob.affinity | indent 12 }}
+          {{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/scaffold/templates/copy-secrets-job.yaml b/charts/scaffold/templates/copy-secrets-job.yaml
index 98eb23af..2d3d1491 100644
--- a/charts/scaffold/templates/copy-secrets-job.yaml
+++ b/charts/scaffold/templates/copy-secrets-job.yaml
@@ -3,9 +3,9 @@ apiVersion: batch/v1
 kind: Job
 metadata:
 {{ include "tuf.namespace" .Subcharts.tuf | indent 2 }}
-  name: {{ .Values.copySecretJob.name }}
+  name: {{ .Values.copySecretJob.name }}{{- if not .Values.copySecretJob.copySecretCronJob.enabled }}{{- else }}-immediate{{- end }}
 spec:
-  backoffLimit: {{ .Values.copySecretJob.backoffLimit }}
+  backoffLimit: {{ default 6 .Values.copySecretJob.backoffLimit }}
   template:
     spec:
       restartPolicy: OnFailure
@@ -90,4 +90,4 @@ spec:
       affinity:
 {{ toYaml .Values.copySecretJob.affinity | indent 8 }}
       {{- end }}
-{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/scaffold/values.schema.json b/charts/scaffold/values.schema.json
index f2bd7db4..d17f97f7 100644
--- a/charts/scaffold/values.schema.json
+++ b/charts/scaffold/values.schema.json
@@ -10,6 +10,26 @@
                 "backoffLimit": {
                     "type": "integer"
                 },
+                "copySecretCronJob": {
+                    "properties": {
+                        "backoffLimit": {
+                            "type": "integer"
+                        },
+                        "enabled": {
+                            "type": "boolean"
+                        },
+                        "failedJobsHistoryLimit": {
+                            "type": "integer"
+                        },
+                        "schedule": {
+                            "type": "string"
+                        },
+                        "successfulJobsHistoryLimit": {
+                            "type": "integer"
+                        }
+                    },
+                    "type": "object"
+                },
                 "enabled": {
                     "type": "boolean"
                 },
@@ -221,6 +241,103 @@
             },
             "type": "object"
         },
+        "secrets": {
+            "properties": {
+                "ctlog": {
+                    "properties": {
+                        "create": {
+                            "type": "boolean"
+                        },
+                        "deploymentName": {
+                            "type": "string"
+                        },
+                        "key": {
+                            "type": "string"
+                        },
+                        "name": {
+                            "type": "string"
+                        },
+                        "namespace": {
+                            "type": "string"
+                        },
+                        "path": {
+                            "type": "string"
+                        }
+                    },
+                    "type": "object"
+                },
+                "fulcio": {
+                    "properties": {
+                        "create": {
+                            "type": "boolean"
+                        },
+                        "deploymentName": {
+                            "type": "string"
+                        },
+                        "key": {
+                            "type": "string"
+                        },
+                        "name": {
+                            "type": "string"
+                        },
+                        "namespace": {
+                            "type": "string"
+                        },
+                        "path": {
+                            "type": "string"
+                        }
+                    },
+                    "type": "object"
+                },
+                "rekor": {
+                    "properties": {
+                        "create": {
+                            "type": "boolean"
+                        },
+                        "deploymentName": {
+                            "type": "string"
+                        },
+                        "key": {
+                            "type": "string"
+                        },
+                        "name": {
+                            "type": "string"
+                        },
+                        "namespace": {
+                            "type": "string"
+                        },
+                        "path": {
+                            "type": "string"
+                        }
+                    },
+                    "type": "object"
+                },
+                "tsa": {
+                    "properties": {
+                        "create": {
+                            "type": "boolean"
+                        },
+                        "deploymentName": {
+                            "type": "string"
+                        },
+                        "key": {
+                            "type": "string"
+                        },
+                        "name": {
+                            "type": "string"
+                        },
+                        "namespace": {
+                            "type": "string"
+                        },
+                        "path": {
+                            "type": "string"
+                        }
+                    },
+                    "type": "object"
+                }
+            },
+            "type": "object"
+        },
         "trillian": {
             "properties": {
                 "affinity": {
@@ -364,55 +481,6 @@
                     "properties": {},
                     "type": "object"
                 },
-                "secrets": {
-                    "properties": {
-                        "ctlog": {
-                            "properties": {
-                                "name": {
-                                    "type": "string"
-                                },
-                                "path": {
-                                    "type": "string"
-                                }
-                            },
-                            "type": "object"
-                        },
-                        "fulcio": {
-                            "properties": {
-                                "name": {
-                                    "type": "string"
-                                },
-                                "path": {
-                                    "type": "string"
-                                }
-                            },
-                            "type": "object"
-                        },
-                        "rekor": {
-                            "properties": {
-                                "name": {
-                                    "type": "string"
-                                },
-                                "path": {
-                                    "type": "string"
-                                }
-                            },
-                            "type": "object"
-                        },
-                        "tsa": {
-                            "properties": {
-                                "name": {
-                                    "type": "string"
-                                },
-                                "path": {
-                                    "type": "string"
-                                }
-                            },
-                            "type": "object"
-                        }
-                    },
-                    "type": "object"
-                },
                 "tolerations": {
                     "type": "array"
                 }
diff --git a/charts/scaffold/values.yaml b/charts/scaffold/values.yaml
index b2aeec14..831d04cb 100644
--- a/charts/scaffold/values.yaml
+++ b/charts/scaffold/values.yaml
@@ -86,19 +86,35 @@ tuf:
   nodeSelector: {}
   affinity: {}
 
-  secrets:
-    rekor:
-      name: rekor-public-key
-      path: rekor.pub
-    fulcio:
-      name: fulcio-server-secret
-      path: fulcio_v1.crt.pem
-    ctlog:
-      name: ctlog-public-key
-      path: ctfe.pub
-    tsa:
-      name: tsa-cert-chain
-      path: tsa.certchain.pem
+secrets:
+  rekor:
+    deploymentName: rekor-server
+    create: false
+    name: rekor-public-key
+    namespace: rekor-system
+    key: key
+    path: rekor.pub
+  fulcio:
+    deploymentName: fulcio-server
+    create: false
+    name: fulcio-server-secret
+    namespace: fulcio-system
+    key: cert
+    path: fulcio_v1.crt.pem
+  ctlog:
+    deploymentName: ctlog
+    create: false
+    name: ctlog-public-key
+    namespace: ctlog-system
+    key: public
+    path: ctfe.pub
+  tsa:
+    deploymentName: tsa-server
+    create: false
+    name: tsa-cert-chain
+    namespace: tsa-system
+    key: cert-chain
+    path: tsa.certchain.pem
 
 copySecretJob:
   enabled: false
@@ -109,6 +125,12 @@ copySecretJob:
   imagePullPolicy: IfNotPresent
   serviceaccount: tuf-secret-copy-job
   backoffLimit: 6
+  copySecretCronJob:
+    enabled: false
+    schedule: "*/5 * * * 1-5"
+    backoffLimit: 2
+    successfulJobsHistoryLimit: 1
+    failedJobsHistoryLimit: 1
   tolerations: []
   nodeSelector: {}
   affinity: {}
diff --git a/charts/sigstore-prober/Chart.yaml b/charts/sigstore-prober/Chart.yaml
index 12f23932..5256237c 100644
--- a/charts/sigstore-prober/Chart.yaml
+++ b/charts/sigstore-prober/Chart.yaml
@@ -4,8 +4,8 @@ description: Sigstore API Endpoint Prober
 
 type: application
 
-version: 0.0.30
-appVersion: 0.7.11
+version: 0.0.31
+appVersion: 0.7.15
 
 
 keywords:
@@ -21,4 +21,4 @@ annotations:
   artifacthub.io/license: Apache-2.0
   artifacthub.io/images: |
     - name: sigstore-prober
-      image: ghcr.io/sigstore/scaffolding/prober:v0.7.11@sha256:1bf5103d3e06b3708b010c0a9c1f2d5e93bc2208cbca368c4144b22d1ef39761
+      image: ghcr.io/sigstore/scaffolding/prober:v0.7.15@sha256:fd334eb3e678e7eddf4008ce108165a33179f3437f08fbe80bdea7a918057dd0
diff --git a/charts/sigstore-prober/README.md b/charts/sigstore-prober/README.md
index c4a298b6..189d11ea 100644
--- a/charts/sigstore-prober/README.md
+++ b/charts/sigstore-prober/README.md
@@ -1,6 +1,6 @@
 # sigstore-prober
 
-![Version: 0.0.30](https://img.shields.io/badge/Version-0.0.30-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.11](https://img.shields.io/badge/AppVersion-0.7.11-informational?style=flat-square)
+![Version: 0.0.31](https://img.shields.io/badge/Version-0.0.31-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.15](https://img.shields.io/badge/AppVersion-0.7.15-informational?style=flat-square)
 
 Sigstore API Endpoint Prober
 
@@ -31,7 +31,7 @@ Sigstore API Endpoint Prober
 | spec.args.rekorRequests | list | `[]` |  |
 | spec.args.trustRekorAPIPublicKey | bool | `false` |  |
 | spec.args.writeProber | bool | `false` |  |
-| spec.image | string | `"ghcr.io/sigstore/scaffolding/prober:v0.7.11@sha256:1bf5103d3e06b3708b010c0a9c1f2d5e93bc2208cbca368c4144b22d1ef39761"` |  |
+| spec.image | string | `"ghcr.io/sigstore/scaffolding/prober:v0.7.15@sha256:fd334eb3e678e7eddf4008ce108165a33179f3437f08fbe80bdea7a918057dd0"` |  |
 | spec.imagePullPolicy | string | `"Always"` |  |
 | spec.matchLabels.app | string | `"sigstore-prober"` |  |
 | spec.replicaCount | int | `1` |  |
diff --git a/charts/sigstore-prober/values.yaml b/charts/sigstore-prober/values.yaml
index 80cc3416..0257b474 100644
--- a/charts/sigstore-prober/values.yaml
+++ b/charts/sigstore-prober/values.yaml
@@ -6,7 +6,7 @@ serviceAccount:
   create: false
 spec:
   replicaCount: 1
-  image: ghcr.io/sigstore/scaffolding/prober:v0.7.11@sha256:1bf5103d3e06b3708b010c0a9c1f2d5e93bc2208cbca368c4144b22d1ef39761
+  image: ghcr.io/sigstore/scaffolding/prober:v0.7.15@sha256:fd334eb3e678e7eddf4008ce108165a33179f3437f08fbe80bdea7a918057dd0
   imagePullPolicy: Always
   matchLabels:
     app: sigstore-prober
diff --git a/charts/trillian/Chart.yaml b/charts/trillian/Chart.yaml
index ea966752..dd023ae6 100644
--- a/charts/trillian/Chart.yaml
+++ b/charts/trillian/Chart.yaml
@@ -5,7 +5,7 @@ description: |
 
 type: application
 
-version: 0.2.28
+version: 0.2.29
 appVersion: 1.6.1
 
 keywords:
@@ -31,12 +31,12 @@ annotations:
     - name: db_server
       image: gcr.io/trillian-opensource-ci/db_server:v1.5.3@sha256:2a685a38dd0129cceb646c232d285383f614c7e6fa51ff8f512aef78e4298461
     - name: log_server
-      image: ghcr.io/sigstore/scaffolding/trillian_log_server:v1.6.1@sha256:b09ad6b9f876be07baf6006afdf13402302251a373eef000cdc7a6d0c0ca584f
+      image: ghcr.io/sigstore/scaffolding/trillian_log_server:v1.6.1@sha256:721b0e89ca3c5e6a167299836880953e2354071eae624a1123fdb5b444d16f76
     - name: log_signer
-      image: ghcr.io/sigstore/scaffolding/trillian_log_signer:v1.6.1@sha256:9ddaf6c45cab0177db6e599d8bde12a46e1913181f4a6942096655e0435d0212
+      image: ghcr.io/sigstore/scaffolding/trillian_log_signer:v1.6.1@sha256:6d3592457acf9823c6f1dbe03e0cac29dddcfe4eb502bb05a8acf8fdb02a6de5
     - name: cloud_proxy
-      image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.13.0-alpine@sha256:74680d0e49d44af5b6f994a6a29712866cb95d8851b1416676313d0cf567946b
+      image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.14.0-alpine@sha256:6dc1d9ea84ff43eaeaebe51bb52de9e24dce8d8affd2fda0dc0d218897456c12
     - name: scaffold_cloud_proxy
-      image: ghcr.io/sigstore/scaffolding/cloudsqlproxy:v0.7.11@sha256:16364cc06de704959576b23da26798850141ecae0f70510654764467cd9f47be
+      image: ghcr.io/sigstore/scaffolding/cloudsqlproxy:v0.7.15@sha256:862598dc2457fd246dc5363e0bd21462343c89e714dbd4159e49f119e8ff5ca5
     - name: createdb
-      image: ghcr.io/sigstore/scaffolding/createdb:v0.7.11@sha256:c835472a9d0e4d8629e9a1a609c8c706cb193144e4088d8f27eade73a4ad5812
+      image: ghcr.io/sigstore/scaffolding/createdb:v0.7.15@sha256:b8f6e7c370228ce4412016d783a5b8f890cb1fb8e7e7acfd8d2c723537270954
diff --git a/charts/trillian/README.md b/charts/trillian/README.md
index 31c08575..dc6c22ad 100644
--- a/charts/trillian/README.md
+++ b/charts/trillian/README.md
@@ -2,7 +2,7 @@
 
 <!-- This README.md is generated. Please edit README.md.gotmpl -->
 
-![Version: 0.2.28](https://img.shields.io/badge/Version-0.2.28-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.1](https://img.shields.io/badge/AppVersion-1.6.1-informational?style=flat-square)
+![Version: 0.2.29](https://img.shields.io/badge/Version-0.2.29-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.1](https://img.shields.io/badge/AppVersion-1.6.1-informational?style=flat-square)
 
 Trillian is a log that stores an accurate, immutable and verifiable history of activity.
 
@@ -46,7 +46,7 @@ helm uninstall [RELEASE_NAME]
 | createdb.image.pullPolicy | string | `"IfNotPresent"` |  |
 | createdb.image.registry | string | `"ghcr.io"` |  |
 | createdb.image.repository | string | `"sigstore/scaffolding/createdb"` |  |
-| createdb.image.version | string | `"sha256:c835472a9d0e4d8629e9a1a609c8c706cb193144e4088d8f27eade73a4ad5812"` | v0.7.11 |
+| createdb.image.version | string | `"sha256:b8f6e7c370228ce4412016d783a5b8f890cb1fb8e7e7acfd8d2c723537270954"` | v0.7.15 |
 | createdb.name | string | `"createdb"` |  |
 | createdb.nodeSelector | object | `{}` |  |
 | createdb.serviceAccount.annotations | object | `{}` |  |
@@ -70,7 +70,7 @@ helm uninstall [RELEASE_NAME]
 | logServer.image.pullPolicy | string | `"IfNotPresent"` |  |
 | logServer.image.registry | string | `"ghcr.io"` |  |
 | logServer.image.repository | string | `"sigstore/scaffolding/trillian_log_server"` |  |
-| logServer.image.version | string | `"sha256:b09ad6b9f876be07baf6006afdf13402302251a373eef000cdc7a6d0c0ca584f"` | trillian v1.6.1 (scaffolding v0.7.8) |
+| logServer.image.version | string | `"sha256:721b0e89ca3c5e6a167299836880953e2354071eae624a1123fdb5b444d16f76"` | trillian v1.6.1 (scaffolding v0.7.15) |
 | logServer.livenessProbe | object | `{}` |  |
 | logServer.name | string | `"log-server"` |  |
 | logServer.nodeSelector | object | `{}` |  |
@@ -99,7 +99,7 @@ helm uninstall [RELEASE_NAME]
 | logSigner.image.pullPolicy | string | `"IfNotPresent"` |  |
 | logSigner.image.registry | string | `"ghcr.io"` |  |
 | logSigner.image.repository | string | `"sigstore/scaffolding/trillian_log_signer"` |  |
-| logSigner.image.version | string | `"sha256:9ddaf6c45cab0177db6e599d8bde12a46e1913181f4a6942096655e0435d0212"` | trillian v1.6.1 (scaffolding v0.7.8) |
+| logSigner.image.version | string | `"sha256:6d3592457acf9823c6f1dbe03e0cac29dddcfe4eb502bb05a8acf8fdb02a6de5"` | trillian v1.6.1 (scaffolding v0.7.15) |
 | logSigner.livenessProbe | object | `{}` |  |
 | logSigner.name | string | `"log-signer"` |  |
 | logSigner.nodeSelector | object | `{}` |  |
@@ -124,7 +124,7 @@ helm uninstall [RELEASE_NAME]
 | mysql.auth.username | string | `"mysql"` |  |
 | mysql.enabled | bool | `true` |  |
 | mysql.gcp.cloudsql.registry | string | `"gcr.io"` |  |
-| mysql.gcp.cloudsql.repository | string | `"cloud-sql-connectors/cloud-sql-proxy:2.13.0-alpine"` |  |
+| mysql.gcp.cloudsql.repository | string | `"cloud-sql-connectors/cloud-sql-proxy:2.14.0-alpine"` |  |
 | mysql.gcp.cloudsql.resources.requests.cpu | string | `"1"` |  |
 | mysql.gcp.cloudsql.resources.requests.memory | string | `"2Gi"` |  |
 | mysql.gcp.cloudsql.securityContext.allowPrivilegeEscalation | bool | `false` |  |
@@ -133,7 +133,7 @@ helm uninstall [RELEASE_NAME]
 | mysql.gcp.cloudsql.securityContext.runAsNonRoot | bool | `true` |  |
 | mysql.gcp.cloudsql.unixDomainSocket.enabled | bool | `false` |  |
 | mysql.gcp.cloudsql.unixDomainSocket.path | string | `"/cloudsql"` |  |
-| mysql.gcp.cloudsql.version | string | `"sha256:74680d0e49d44af5b6f994a6a29712866cb95d8851b1416676313d0cf567946b"` | crane digest gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.13.0-alpine |
+| mysql.gcp.cloudsql.version | string | `"sha256:6dc1d9ea84ff43eaeaebe51bb52de9e24dce8d8affd2fda0dc0d218897456c12"` | crane digest gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.14.0-alpine |
 | mysql.gcp.enabled | bool | `false` |  |
 | mysql.gcp.instance | string | `""` |  |
 | mysql.gcp.scaffoldSQLProxy.registry | string | `"ghcr.io"` |  |
@@ -144,7 +144,7 @@ helm uninstall [RELEASE_NAME]
 | mysql.gcp.scaffoldSQLProxy.securityContext.capabilities.drop[0] | string | `"ALL"` |  |
 | mysql.gcp.scaffoldSQLProxy.securityContext.readOnlyRootFilesystem | bool | `true` |  |
 | mysql.gcp.scaffoldSQLProxy.securityContext.runAsNonRoot | bool | `true` |  |
-| mysql.gcp.scaffoldSQLProxy.version | string | `"sha256:16364cc06de704959576b23da26798850141ecae0f70510654764467cd9f47be"` | v0.7.11 which is based on cloud-sql-proxy:2.13.0-alpine |
+| mysql.gcp.scaffoldSQLProxy.version | string | `"sha256:862598dc2457fd246dc5363e0bd21462343c89e714dbd4159e49f119e8ff5ca5"` | v0.7.15 which is based on cloud-sql-proxy:2.14.0-alpine |
 | mysql.hostname | string | `""` |  |
 | mysql.image.pullPolicy | string | `"IfNotPresent"` |  |
 | mysql.image.registry | string | `"gcr.io"` |  |
diff --git a/charts/trillian/values.yaml b/charts/trillian/values.yaml
index 19155c10..60374de4 100644
--- a/charts/trillian/values.yaml
+++ b/charts/trillian/values.yaml
@@ -31,8 +31,8 @@ mysql:
     scaffoldSQLProxy:
       registry: ghcr.io
       repository: sigstore/scaffolding/cloudsqlproxy
-      # -- v0.7.11 which is based on cloud-sql-proxy:2.13.0-alpine
-      version: sha256:16364cc06de704959576b23da26798850141ecae0f70510654764467cd9f47be
+      # -- v0.7.15 which is based on cloud-sql-proxy:2.14.0-alpine
+      version: sha256:862598dc2457fd246dc5363e0bd21462343c89e714dbd4159e49f119e8ff5ca5
       resources:
         requests:
           memory: "2Gi"
@@ -46,9 +46,9 @@ mysql:
             - ALL
     cloudsql:
       registry: gcr.io
-      repository: cloud-sql-connectors/cloud-sql-proxy:2.13.0-alpine
-      # -- crane digest gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.13.0-alpine
-      version: sha256:74680d0e49d44af5b6f994a6a29712866cb95d8851b1416676313d0cf567946b
+      repository: cloud-sql-connectors/cloud-sql-proxy:2.14.0-alpine
+      # -- crane digest gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.14.0-alpine
+      version: sha256:6dc1d9ea84ff43eaeaebe51bb52de9e24dce8d8affd2fda0dc0d218897456c12
       resources:
         requests:
           memory: "2Gi"
@@ -138,8 +138,8 @@ logServer:
     registry: ghcr.io
     repository: sigstore/scaffolding/trillian_log_server
     pullPolicy: IfNotPresent
-    # -- trillian v1.6.1 (scaffolding v0.7.8)
-    version: sha256:b09ad6b9f876be07baf6006afdf13402302251a373eef000cdc7a6d0c0ca584f
+    # -- trillian v1.6.1 (scaffolding v0.7.15)
+    version: sha256:721b0e89ca3c5e6a167299836880953e2354071eae624a1123fdb5b444d16f76
   nodeSelector: {}
   tolerations: []
   affinity: {}
@@ -174,8 +174,8 @@ logSigner:
     registry: ghcr.io
     repository: sigstore/scaffolding/trillian_log_signer
     pullPolicy: IfNotPresent
-    # -- trillian v1.6.1 (scaffolding v0.7.8)
-    version: sha256:9ddaf6c45cab0177db6e599d8bde12a46e1913181f4a6942096655e0435d0212
+    # -- trillian v1.6.1 (scaffolding v0.7.15)
+    version: sha256:6d3592457acf9823c6f1dbe03e0cac29dddcfe4eb502bb05a8acf8fdb02a6de5
   nodeSelector: {}
   tolerations: []
   affinity: {}
@@ -204,8 +204,8 @@ createdb:
     registry: ghcr.io
     repository: sigstore/scaffolding/createdb
     pullPolicy: IfNotPresent
-    # -- v0.7.11
-    version: sha256:c835472a9d0e4d8629e9a1a609c8c706cb193144e4088d8f27eade73a4ad5812
+    # -- v0.7.15
+    version: sha256:b8f6e7c370228ce4412016d783a5b8f890cb1fb8e7e7acfd8d2c723537270954
   serviceAccount:
     create: false
     name: ""
diff --git a/charts/tuf/Chart.yaml b/charts/tuf/Chart.yaml
index a5a96cce..3b52b7ea 100644
--- a/charts/tuf/Chart.yaml
+++ b/charts/tuf/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: tuf
 description: A framework for securing software update systems - the scaffolding implementation
 type: application
-version: 0.1.18
-appVersion: 0.7.11
+version: 0.1.20
+appVersion: 0.7.15
 
 home: https://sigstore.dev/
 sources:
@@ -17,4 +17,4 @@ annotations:
   artifacthub.io/license: Apache-2.0
   artifacthub.io/images: |
     - name: scaffolding-tuf
-      image: ghcr.io/sigstore/scaffolding/server:v0.7.11@sha256:90992e92dee398c8b9bdeec0365f2b7211f1a14b4b111e9e926c701847e995e7
+      image: ghcr.io/sigstore/scaffolding/server:v0.7.15@sha256:982c6173b6f2f976fd9f58eb543ca9ec5f0d1b7c1a6f7bb0c4b96cff1618c62e
diff --git a/charts/tuf/README.md b/charts/tuf/README.md
index 4baa237c..ba8a632c 100644
--- a/charts/tuf/README.md
+++ b/charts/tuf/README.md
@@ -1,6 +1,6 @@
 # tuf
 
-![Version: 0.1.18](https://img.shields.io/badge/Version-0.1.18-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.11](https://img.shields.io/badge/AppVersion-0.7.11-informational?style=flat-square)
+![Version: 0.1.20](https://img.shields.io/badge/Version-0.1.20-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.15](https://img.shields.io/badge/AppVersion-0.7.15-informational?style=flat-square)
 
 A framework for securing software update systems - the scaffolding implementation
 
@@ -29,7 +29,7 @@ A framework for securing software update systems - the scaffolding implementatio
 | deployment.replicas | int | `1` |  |
 | deployment.repository | string | `"sigstore/scaffolding/server"` |  |
 | deployment.tolerations | list | `[]` |  |
-| deployment.version | string | `"sha256:90992e92dee398c8b9bdeec0365f2b7211f1a14b4b111e9e926c701847e995e7"` |  |
+| deployment.version | string | `"sha256:982c6173b6f2f976fd9f58eb543ca9ec5f0d1b7c1a6f7bb0c4b96cff1618c62e"` |  |
 | enabled | bool | `true` |  |
 | forceNamespace | string | `""` |  |
 | fullnameOverride | string | `"tuf"` |  |
@@ -45,18 +45,22 @@ A framework for securing software update systems - the scaffolding implementatio
 | roleBindingName | string | `"tuf"` |  |
 | roleName | string | `"tuf"` |  |
 | secrets.ctlog.create | bool | `false` |  |
+| secrets.ctlog.enabled | bool | `true` |  |
 | secrets.ctlog.key | string | `"public"` |  |
 | secrets.ctlog.name | string | `"ctlog-public-key"` |  |
 | secrets.ctlog.path | string | `"ctfe.pub"` |  |
 | secrets.fulcio.create | bool | `false` |  |
+| secrets.fulcio.enabled | bool | `true` |  |
 | secrets.fulcio.key | string | `"cert"` |  |
 | secrets.fulcio.name | string | `"fulcio-server-secret"` |  |
 | secrets.fulcio.path | string | `"fulcio_v1.crt.pem"` |  |
 | secrets.rekor.create | bool | `false` |  |
+| secrets.rekor.enabled | bool | `true` |  |
 | secrets.rekor.key | string | `"key"` |  |
 | secrets.rekor.name | string | `"rekor-public-key"` |  |
 | secrets.rekor.path | string | `"rekor.pub"` |  |
 | secrets.tsa.create | bool | `false` |  |
+| secrets.tsa.enabled | bool | `true` |  |
 | secrets.tsa.key | string | `"cert-chain"` |  |
 | secrets.tsa.name | string | `"tsa-cert-chain"` |  |
 | secrets.tsa.path | string | `"tsa.certchain.pem"` |  |
diff --git a/charts/tuf/templates/_helpers.tpl b/charts/tuf/templates/_helpers.tpl
index 923a62ef..bccca93e 100644
--- a/charts/tuf/templates/_helpers.tpl
+++ b/charts/tuf/templates/_helpers.tpl
@@ -84,4 +84,52 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- define "tuf.metaLabels" -}}
 helm.sh/chart: {{ include "tuf.chart" . }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end -}}
\ No newline at end of file
+{{- end -}}
+
+{{/*
+Check number of TUF secrets and render them as structured YAML.
+*/}}
+{{- define "tuf.validateSecrets" }}
+{{- if not (or .Values.secrets.rekor.enabled .Values.secrets.rekor.create 
+             .Values.secrets.fulcio.enabled .Values.secrets.fulcio.create 
+             .Values.secrets.ctlog.enabled .Values.secrets.ctlog.create 
+             .Values.secrets.tsa.enabled .Values.secrets.tsa.create) -}}
+  {{- fail "At least one secret must be provided (enabled or created)." -}}
+{{- else }}
+    {{- include "tuf.secretsList" . | nindent 8 }}
+{{- end }}
+{{- end }}
+
+{{/*
+Render TUF Secrets as structured YAML for the volume sources.
+*/}}
+{{- define "tuf.secretsList" -}}
+  {{- if or (.Values.secrets.ctlog.enabled) (.Values.secrets.ctlog.create) }}
+  - secret:
+      name: {{ .Values.secrets.ctlog.name }}
+      items:
+      - key: {{ .Values.secrets.ctlog.key }}
+        path: {{ .Values.secrets.ctlog.path }}
+  {{- end }}
+  {{- if or (.Values.secrets.fulcio.enabled) (.Values.secrets.fulcio.create) }}
+  - secret:
+      name: {{ .Values.secrets.fulcio.name }}
+      items:
+      - key: {{ .Values.secrets.fulcio.key }}
+        path: {{ .Values.secrets.fulcio.path }}
+  {{- end }}
+  {{- if or (.Values.secrets.rekor.enabled) (.Values.secrets.rekor.create) }}
+  - secret:
+      name: {{ .Values.secrets.rekor.name }}
+      items:
+      - key: {{ .Values.secrets.rekor.key }}
+        path: {{ .Values.secrets.rekor.path }}
+  {{- end }}
+  {{- if or (.Values.secrets.tsa.enabled) (.Values.secrets.tsa.create) }}
+  - secret:
+      name: {{ .Values.secrets.tsa.name }}
+      items:
+      - key: {{ .Values.secrets.tsa.key }}
+        path: {{ .Values.secrets.tsa.path }}
+  {{- end }}
+{{- end }}
diff --git a/charts/tuf/templates/deployment.yaml b/charts/tuf/templates/deployment.yaml
index 5898e61d..aa7fc176 100644
--- a/charts/tuf/templates/deployment.yaml
+++ b/charts/tuf/templates/deployment.yaml
@@ -47,27 +47,8 @@ spec:
       volumes:
       - name: tuf-secrets
         projected:
-          sources: 
-          - secret:
-              name: {{ .Values.secrets.ctlog.name }}
-              items:
-              - key: {{ .Values.secrets.ctlog.key }}
-                path: {{ .Values.secrets.ctlog.path }}
-          - secret:
-              name: {{ .Values.secrets.fulcio.name }}
-              items:
-              - key: {{ .Values.secrets.fulcio.key }}
-                path: {{ .Values.secrets.fulcio.path }}
-          - secret:
-              name: {{ .Values.secrets.rekor.name }}
-              items:
-              - key: {{ .Values.secrets.rekor.key }}
-                path: {{ .Values.secrets.rekor.path }}
-          - secret:
-              name: {{ .Values.secrets.tsa.name }}
-              items:
-              - key: {{ .Values.secrets.tsa.key }}
-                path: {{ .Values.secrets.tsa.path }}
+          sources:
+          {{- include "tuf.validateSecrets" . }}
     {{- if .Values.imagePullSecrets }}
       imagePullSecrets:
 {{ toYaml .Values.imagePullSecrets | indent 8 }}
diff --git a/charts/tuf/values.schema.json b/charts/tuf/values.schema.json
index 5128f098..02fba6de 100644
--- a/charts/tuf/values.schema.json
+++ b/charts/tuf/values.schema.json
@@ -109,7 +109,22 @@
                 "ctlog": {
                     "properties": {
                         "create": {
-                            "type": "boolean"
+                            "type": "boolean",
+                            "examples": [
+                                false
+                            ]
+                        },
+                        "enabled": {
+                            "type": "boolean",
+                            "examples": [
+                                false
+                            ]
+                        },
+                        "name": {
+                            "type": "string",
+                            "examples": [
+                                "rekor-public-key"
+                            ]
                         },
                         "key": {
                             "type": "string"
@@ -126,7 +141,22 @@
                 "fulcio": {
                     "properties": {
                         "create": {
-                            "type": "boolean"
+                            "type": "boolean",
+                            "examples": [
+                                false
+                            ]
+                        },
+                        "enabled": {
+                            "type": "boolean",
+                            "examples": [
+                                false
+                            ]
+                        },
+                        "name": {
+                            "type": "string",
+                            "examples": [
+                                "fulcio-server-secret"
+                            ]
                         },
                         "key": {
                             "type": "string"
@@ -143,7 +173,22 @@
                 "rekor": {
                     "properties": {
                         "create": {
-                            "type": "boolean"
+                            "type": "boolean",
+                            "examples": [
+                                false
+                            ]
+                        },
+                        "enabled": {
+                            "type": "boolean",
+                            "examples": [
+                                false
+                            ]
+                        },
+                        "name": {
+                            "type": "string",
+                            "examples": [
+                                "ctlog-public-key"
+                            ]
                         },
                         "key": {
                             "type": "string"
@@ -160,7 +205,22 @@
                 "tsa": {
                     "properties": {
                         "create": {
-                            "type": "boolean"
+                            "type": "boolean",
+                            "examples": [
+                                false
+                            ]
+                        },
+                        "enabled": {
+                            "type": "boolean",
+                            "examples": [
+                                false
+                            ]
+                        },
+                        "name": {
+                            "type": "string",
+                            "examples": [
+                                "tsa-cert-chain"
+                            ]
                         },
                         "key": {
                             "type": "string"
diff --git a/charts/tuf/values.yaml b/charts/tuf/values.yaml
index 34bbbfec..c9cdca2b 100644
--- a/charts/tuf/values.yaml
+++ b/charts/tuf/values.yaml
@@ -11,8 +11,8 @@ deployment:
   replicas: 1
   registry: ghcr.io
   repository: sigstore/scaffolding/server
-  # v0.7.11
-  version: sha256:90992e92dee398c8b9bdeec0365f2b7211f1a14b4b111e9e926c701847e995e7
+  # v0.7.15
+  version: sha256:982c6173b6f2f976fd9f58eb543ca9ec5f0d1b7c1a6f7bb0c4b96cff1618c62e
   imagePullPolicy: IfNotPresent
   port: 8080
   tolerations: []
@@ -22,21 +22,25 @@ deployment:
 secrets:
   rekor:
     create: false
+    enabled: true
     name: rekor-public-key
     key: key
     path: rekor.pub
   fulcio:
     create: false
+    enabled: true
     name: fulcio-server-secret
     key: cert
     path: fulcio_v1.crt.pem
   ctlog:
     create: false
+    enabled: true
     name: ctlog-public-key
     key: public
     path: ctfe.pub
   tsa:
     create: false
+    enabled: true
     name: tsa-cert-chain
     key: cert-chain
     path: tsa.certchain.pem
diff --git a/charts/updatetree/Chart.yaml b/charts/updatetree/Chart.yaml
index cfa22dd2..555cc600 100644
--- a/charts/updatetree/Chart.yaml
+++ b/charts/updatetree/Chart.yaml
@@ -4,8 +4,8 @@ description: Update the status of an existing Trillian tree
 
 type: application
 
-version: 0.0.14
-appVersion: 0.7.11
+version: 0.0.15
+appVersion: 0.7.15
 
 
 keywords:
@@ -22,4 +22,4 @@ annotations:
   artifacthub.io/license: Apache-2.0
   artifacthub.io/images: |
     - name: updatetree
-      image: ghcr.io/sigstore/scaffolding/updatetree:v0.7.11@sha256:37ac271cbdb3c74e3146b35823e48391f24cc2c76b415a821c2f95a41dd64342
+      image: ghcr.io/sigstore/scaffolding/updatetree:v0.7.15@sha256:710945f110f08b01802ce0b050cac9ae55b93546c69840e54cd0fda7c8831434
diff --git a/charts/updatetree/README.md b/charts/updatetree/README.md
index c0fcfcfb..a5d5c1a7 100644
--- a/charts/updatetree/README.md
+++ b/charts/updatetree/README.md
@@ -1,6 +1,6 @@
 # updatetree
 
-![Version: 0.0.14](https://img.shields.io/badge/Version-0.0.14-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.11](https://img.shields.io/badge/AppVersion-0.7.11-informational?style=flat-square)
+![Version: 0.0.15](https://img.shields.io/badge/Version-0.0.15-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.15](https://img.shields.io/badge/AppVersion-0.7.15-informational?style=flat-square)
 
 Update the status of an existing Trillian tree
 
@@ -29,7 +29,7 @@ Update the status of an existing Trillian tree
 | serviceAccount.annotations | object | `{}` |  |
 | serviceAccount.create | bool | `false` |  |
 | serviceAccount.name | string | `"trillian-logserver"` |  |
-| spec.image | string | `"ghcr.io/sigstore/scaffolding/updatetree:v0.7.11@sha256:37ac271cbdb3c74e3146b35823e48391f24cc2c76b415a821c2f95a41dd64342"` |  |
+| spec.image | string | `"ghcr.io/sigstore/scaffolding/updatetree:v0.7.15@sha256:710945f110f08b01802ce0b050cac9ae55b93546c69840e54cd0fda7c8831434"` |  |
 | spec.replicaCount | int | `1` |  |
 | tolerations | list | `[]` |  |
 | trillian.adminServer | string | `""` |  |
diff --git a/charts/updatetree/values.yaml b/charts/updatetree/values.yaml
index f5c39e5c..0d3ca91b 100644
--- a/charts/updatetree/values.yaml
+++ b/charts/updatetree/values.yaml
@@ -8,7 +8,7 @@ serviceAccount:
   create: false
 spec:
   replicaCount: 1
-  image: ghcr.io/sigstore/scaffolding/updatetree:v0.7.11@sha256:37ac271cbdb3c74e3146b35823e48391f24cc2c76b415a821c2f95a41dd64342
+  image: ghcr.io/sigstore/scaffolding/updatetree:v0.7.15@sha256:710945f110f08b01802ce0b050cac9ae55b93546c69840e54cd0fda7c8831434
 ttlSecondsAfterFinished: 3600
 securityContext:
   runAsNonRoot: true