diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
new file mode 100644
index 0000000..7d73d32
--- /dev/null
+++ b/.github/workflows/build.yaml
@@ -0,0 +1,122 @@
+name: Build dev version
+
+on:
+  push:
+  workflow_dispatch:
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+  CHART_REPO: helm-charts-dev
+
+defaults:
+  run:
+    shell: bash
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  build-image:
+    runs-on: ubuntu-24.04
+    outputs:
+      image: ${{ steps.docker_image.outputs.image }}
+      image_repository: ${{ steps.docker_image.outputs.image_repository }}
+      image_tag: ${{ steps.docker_image.outputs.image_tag }}
+      image_prefix: ${{ steps.docker_image.outputs.image_prefix }}
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Setup Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: 3.11
+      - name: Install chartpress
+        run: pip install chartpress
+      - name: Get image tag from chartpress
+        id: chartpress
+        run: |
+          CHARTPRESS_TAG=$(chartpress --list-images | head -n1 | cut -d":" -f2)
+          echo "CHARTPRESS_TAG=${CHARTPRESS_TAG}"
+          echo "chartpress_tag=${CHARTPRESS_TAG}" >> "$GITHUB_OUTPUT"
+      - name: Docker image metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=raw,value=${{ steps.chartpress.outputs.chartpress_tag }}
+            type=sha
+      - name: Extract Docker image name
+        id: docker_image
+        run: |
+          IMAGE=$(echo '${{ steps.meta.outputs.json }}' | jq -cr '.tags[0]')
+          echo "IMAGE=${IMAGE}"
+          IMAGE_REPOSITORY=$(echo "$IMAGE" | cut -d':' -f1)
+          echo "IMAGE_REPOSITORY=${IMAGE_REPOSITORY}"
+          IMAGE_TAG=$(echo "$IMAGE" | cut -d':' -f2)
+          echo "IMAGE_TAG=${IMAGE_TAG}"
+          IMAGE_PREFIX="$(echo "${IMAGE_REPOSITORY}" | rev | cut -d'/' -f2- | rev)/"
+          echo "IMAGE_PREFIX=${IMAGE_PREFIX}"
+          echo "image=$IMAGE" >> "$GITHUB_OUTPUT"
+          echo "image_repository=$IMAGE_REPOSITORY" >> "$GITHUB_OUTPUT"
+          echo "image_tag=$IMAGE_TAG" >> "$GITHUB_OUTPUT"
+          echo "image_prefix=$IMAGE_PREFIX" >> "$GITHUB_OUTPUT"
+      - name: Set up Docker buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Set up Docker
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=registry,ref=${{ steps.docker_image.outputs.image_repository }}:buildcache
+          cache-to: type=registry,ref=${{ steps.docker_image.outputs.image_repository }}:buildcache,mode=max
+
+  publish-chart:
+    needs: [build-image]
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Setup Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: 3.11
+      - name: Setup Helm
+        uses: azure/setup-helm@v4
+      - name: Install chartpress
+        run: pip install chartpress
+      - name: Setup Helm push
+        run: |
+          echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ${{ env.REGISTRY }} -u ${{ github.actor }} --password-stdin
+      - name: Update chart
+        run: |
+          helm dep update deploy/csi-rclone
+          chartpress --no-build --image-prefix "${{ needs.build-image.outputs.image_prefix }}" --tag "${{ needs.build-image.outputs.image_tag }}"
+          helm lint deploy/csi-rclone
+      - name: Publish chart
+        run: |
+          helm package deploy/csi-rclone
+          helm push "csi-rclone-${{ needs.build-image.outputs.image_tag }}.tgz" "oci://${{ needs.build-image.outputs.image_repository }}/${{ env.CHART_REPO }}"
diff --git a/chartpress.yaml b/chartpress.yaml
index ffb3e0b..fabc065 100644
--- a/chartpress.yaml
+++ b/chartpress.yaml
@@ -3,6 +3,7 @@ charts:
     imagePrefix: renku/
     resetTag: ""
     resetVersion: 0.2.0
+    baseVersion: 0.7.0-0.dev
     repo:
       git: SwissDataScienceCenter/helm-charts
       published: https://swissdatasciencecenter.github.io/helm-charts
diff --git a/deploy/csi-rclone/templates/_certificates-init-container.tpl b/deploy/csi-rclone/templates/_certificates-init-container.tpl
new file mode 100644
index 0000000..d8b6b1a
--- /dev/null
+++ b/deploy/csi-rclone/templates/_certificates-init-container.tpl
@@ -0,0 +1,14 @@
+{{- define "csiRcloneCertificates.initContainer" -}}
+{{- $customCAsEnabled := .Values.csiNodepluginRclone.certificates.customCAs -}}
+{{- $customCAsForMountsEnabled := .Values.csiNodepluginRclone.certificates.customCAsForDataConnectorMounts -}}
+- name: init-certificates
+  image: "{{ .Values.csiNodepluginRclone.certificates.image.repository }}:{{ .Values.csiNodepluginRclone.certificates.image.tag }}"
+  volumeMounts:
+    - name: etc-ssl-certs
+      mountPath: /etc/ssl/certs/
+    {{- if or $customCAsEnabled $customCAsForMountsEnabled }}
+    - name: custom-ca-certs
+      mountPath: /usr/local/share/ca-certificates
+      readOnly: true
+    {{- end -}}
+{{- end -}}
diff --git a/deploy/csi-rclone/templates/_certificates-volume-mounts.tpl b/deploy/csi-rclone/templates/_certificates-volume-mounts.tpl
new file mode 100644
index 0000000..9d83c10
--- /dev/null
+++ b/deploy/csi-rclone/templates/_certificates-volume-mounts.tpl
@@ -0,0 +1,5 @@
+{{- define "csiRcloneCertificates.volumeMounts.system" -}}
+- name: etc-ssl-certs
+  mountPath: /etc/ssl/certs/
+  readOnly: true
+{{- end -}}
diff --git a/deploy/csi-rclone/templates/_certificates-volumes.tpl b/deploy/csi-rclone/templates/_certificates-volumes.tpl
new file mode 100644
index 0000000..9657a88
--- /dev/null
+++ b/deploy/csi-rclone/templates/_certificates-volumes.tpl
@@ -0,0 +1,25 @@
+{{- define "csiRcloneCertificatesForMounts.volumes" -}}
+{{- $customCAsEnabled := .Values.csiNodepluginRclone.certificates.customCAs -}}
+{{- $customCAsForMountsEnabled := .Values.csiNodepluginRclone.certificates.customCAsForDataConnectorMounts -}}
+- name: etc-ssl-certs
+  emptyDir:
+    medium: "Memory"
+{{- if or $customCAsEnabled $customCAsForMountsEnabled }}
+- name: custom-ca-certs
+  projected:
+    defaultMode: 0444
+    sources:
+    {{- if $customCAsEnabled }}
+    {{- range $customCA := .Values.csiNodepluginRclone.certificates.customCAs }}
+      - secret:
+          name: {{ $customCA.secret }}
+    {{- end -}}
+    {{- end -}}
+    {{- if $customCAsForMountsEnabled }}
+    {{- range $customCA := .Values.csiNodepluginRclone.certificates.customCAsForDataConnectorMounts }}
+      - secret:
+          name: {{ $customCA.secret }}
+    {{- end -}}
+    {{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/deploy/csi-rclone/templates/csi-nodeplugin-rclone.yaml b/deploy/csi-rclone/templates/csi-nodeplugin-rclone.yaml
index 7615eba..3d68cfe 100644
--- a/deploy/csi-rclone/templates/csi-nodeplugin-rclone.yaml
+++ b/deploy/csi-rclone/templates/csi-nodeplugin-rclone.yaml
@@ -20,6 +20,8 @@ spec:
     spec:
       serviceAccountName: {{ include "chart.fullname" . }}-nodeplugin
       dnsPolicy: ClusterFirstWithHostNet
+      initContainers:
+      {{- include "csiRcloneCertificates.initContainer" . | nindent 6 }}
       containers:
       - name: node-driver-registrar
         args:
@@ -143,6 +145,7 @@ spec:
           name: pods-mount-dir
         - mountPath: /var/lib/rclone
           name: cache-dir
+        {{- include "csiRcloneCertificates.volumeMounts.system" . | nindent 8 }}
     {{- with .Values.csiNodepluginRclone.nodeSelector }}
       nodeSelector:
         {{ toYaml . | nindent 8 }}
@@ -170,3 +173,4 @@ spec:
         name: registration-dir
       - name: cache-dir
         emptyDir: {}
+      {{- include "csiRcloneCertificatesForMounts.volumes" . | nindent 6 }}
diff --git a/deploy/csi-rclone/values.yaml b/deploy/csi-rclone/values.yaml
index acbad32..ebf474a 100644
--- a/deploy/csi-rclone/values.yaml
+++ b/deploy/csi-rclone/values.yaml
@@ -106,6 +106,19 @@ csiNodepluginRclone:
     #   value: "32M"
     # - name: "transfers"
     #   value: "8"
+  ## Specify the name of a existing K8s secrets that contains the certificate
+  ## if you would like to use custom CAs. The key for the secret
+  ## should have the .crt extension otherwise it is ignored. The
+  ## keys across all secrets are mounted as files in one location so
+  ## the keys across all secrets have to be unique.
+  certificates:
+    image:
+      repository: renku/certificates
+      tag: "0.0.2"
+    customCAs: []
+    # - secret:
+    customCAsForDataConnectorMounts: []
+    # - secret:
   serviceAccount:
     annotations: {}
   nodeSelector: {}