diff --git a/.github/kubeconform.sh b/.github/kubeconform.sh
index bd16579a..3f533162 100755
--- a/.github/kubeconform.sh
+++ b/.github/kubeconform.sh
@@ -1,8 +1,9 @@
 #!/bin/bash
 set -euo pipefail
 
-KUBECONFORM_VERSION="v0.6.1"
+KUBECONFORM_VERSION="v0.6.7"
 OS=$(uname)
+: ${KUBERNETES_VERSION:=v1.31.1}
 
 CHANGED_CHARTS=${CHANGED_CHARTS:-${1:-}}
 if [ -n "$CHANGED_CHARTS" ];
@@ -12,6 +13,13 @@ else
   CHART_DIRS=$(ls -d charts/*)
 fi
 
+KUBECONFORM_OPTS="\
+--strict \
+--summary \
+--schema-location default \
+--schema-location https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json \
+"
+
 # install kubeconform
 curl --silent --show-error --fail --location --output /tmp/kubeconform.tar.gz "https://github.com/yannh/kubeconform/releases/download/${KUBECONFORM_VERSION}/kubeconform-${OS}-amd64.tar.gz"
 tar -xf /tmp/kubeconform.tar.gz kubeconform
@@ -22,11 +30,11 @@ for CHART_DIR in ${CHART_DIRS}; do
   helm dep up "${CHART_DIR}"
   for VALUES_FILE in $(find "${CHART_DIR}/ci" -name '*values.yaml'); do
     helm template --kube-version "${KUBERNETES_VERSION#v}" --values "${VALUES_FILE}" "${CHART_DIR}" \
-      | ./kubeconform --strict --summary --kubernetes-version "${KUBERNETES_VERSION#v}"
+      | ./kubeconform $KUBECONFORM_OPTS --kubernetes-version "${KUBERNETES_VERSION#v}"
     for OPTION_FILE in $(find "${CHART_DIR}/ci" -name '*option.yaml'); do
       echo "== Checking values file: ${VALUES_FILE} and option file: ${OPTION_FILE}"
       helm template --kube-version "${KUBERNETES_VERSION#v}" --values "${VALUES_FILE}" --values "${OPTION_FILE}" "${CHART_DIR}" \
-        | ./kubeconform --strict --summary --kubernetes-version "${KUBERNETES_VERSION#v}"
+        | ./kubeconform $KUBECONFORM_OPTS --kubernetes-version "${KUBERNETES_VERSION#v}"
     done
   done
 done
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index d922e69a..2c31c679 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -93,12 +93,12 @@ jobs:
         # When changing versions here, check that the version exists at:
         # https://github.com/yannh/kubernetes-json-schema
         k8s:
-          - v1.28.2
+          - v1.32.2
+          - v1.31.6
+          - v1.30.10
+          - v1.29.10
+          - v1.28.15
           - v1.27.6
-          - v1.26.5
-          - v1.25.2
-          - v1.24.2
-          - v1.22.9
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -122,12 +122,8 @@ jobs:
       matrix:
         # Only keep a couple because they take ~5 min each to run :(
         k8s:
-          - v1.26.4
-          # - v1.25.2
-          # - v1.24.2
-          - v1.22.9
-          # - v1.18.20
-          # - v1.16.15
+          - v1.31.6
+          - v1.27.6
     steps:
       - name: Checkout
         uses: actions/checkout@v3
diff --git a/charts/retool/Chart.yaml b/charts/retool/Chart.yaml
index af8dcea8..afb2dd6a 100644
--- a/charts/retool/Chart.yaml
+++ b/charts/retool/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: retool
 description: A Helm chart for Kubernetes
 type: application
-version: 6.4.2
+version: 6.4.3
 maintainers:
   - name: Retool Engineering
     email: engineering+helm@retool.com
diff --git a/charts/retool/ci/test-eso-secretref-option.yaml b/charts/retool/ci/test-eso-secretref-option.yaml
new file mode 100644
index 00000000..08d11f9f
--- /dev/null
+++ b/charts/retool/ci/test-eso-secretref-option.yaml
@@ -0,0 +1,14 @@
+externalSecrets:
+  enabled: false
+  includeConfigSecrets: false
+  name: retool-config
+  externalSecretsOperator:
+    enabled: true
+    backendType: secretsManager
+    useLegacyCR: false
+    secretStoreRef:
+      name: retool
+      kind: SecretStore
+    secretRef:
+      - name: retool-config
+        path: mysecret
diff --git a/charts/retool/templates/externalsecret.yaml b/charts/retool/templates/externalsecret.yaml
index 4d30ff5b..406eb0ba 100644
--- a/charts/retool/templates/externalsecret.yaml
+++ b/charts/retool/templates/externalsecret.yaml
@@ -24,10 +24,10 @@ metadata:
   name: {{ .name }}
   namespace: {{ $.Release.Namespace }}
 spec:
-  refreshInterval: {{ .Values.externalSecrets.externalSecretsOperator.refreshInterval }}
+  refreshInterval: {{ $.Values.externalSecrets.externalSecretsOperator.refreshInterval }}
   secretStoreRef:
-    name: {{ .Values.externalSecrets.externalSecretsOperator.secretStoreRef.name }}
-    kind: {{ .Values.externalSecrets.externalSecretsOperator.secretStoreRef.kind }}
+    name: {{ $.Values.externalSecrets.externalSecretsOperator.secretStoreRef.name }}
+    kind: {{ $.Values.externalSecrets.externalSecretsOperator.secretStoreRef.kind }}
   target:
     name: {{ .name }}
     creationPolicy: Owner