diff --git a/.github/workflows/container_release4.yml b/.github/workflows/container_release4.yml
index 8ddcfb429..5f33b821a 100644
--- a/.github/workflows/container_release4.yml
+++ b/.github/workflows/container_release4.yml
@@ -17,6 +17,18 @@ jobs:
       -
         name: Checkout
         uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v2
+      -
+        name: Free Disk Space
+        run: |
+          echo "Before cleanup:"
+          df -h
+          sudo rm -rf /usr/share/dotnet
+          sudo rm -rf /usr/local/lib/android
+          sudo rm -rf /opt/ghc
+          sudo rm -rf /opt/hostedtoolcache/CodeQL
+          sudo docker system prune -af
+          echo "After cleanup:"
+          df -h
       -
         name: Docker meta
         id: docker_meta
diff --git a/k8s/charts/seaweedfs/templates/cert/ca-cert.yaml b/k8s/charts/seaweedfs/templates/cert/ca-cert.yaml
index 0420a52eb..b01a8dcc0 100644
--- a/k8s/charts/seaweedfs/templates/cert/ca-cert.yaml
+++ b/k8s/charts/seaweedfs/templates/cert/ca-cert.yaml
@@ -13,11 +13,11 @@ spec:
   secretName: {{ template "seaweedfs.name" . }}-ca-cert
   commonName: "{{ template "seaweedfs.name" . }}-root-ca"
   isCA: true
-  {{- if .Values.certificates.duration }}
-  duration: {{ .Values.certificates.duration }}
+  {{- if .Values.certificates.ca.duration }}
+  duration: {{ .Values.certificates.ca.duration }}
   {{- end }}
-  {{- if .Values.certificates.renewBefore }}
-  renewBefore: {{ .Values.certificates.renewBefore }}
+  {{- if .Values.certificates.ca.renewBefore }}
+  renewBefore: {{ .Values.certificates.ca.renewBefore }}
   {{- end }}
   issuerRef:
     name: {{ template "seaweedfs.name" . }}-issuer
diff --git a/k8s/charts/seaweedfs/values.yaml b/k8s/charts/seaweedfs/values.yaml
index 66c893bc2..547b05479 100644
--- a/k8s/charts/seaweedfs/values.yaml
+++ b/k8s/charts/seaweedfs/values.yaml
@@ -1270,6 +1270,9 @@ certificates:
   keySize: 2048
   duration: 2160h  # 90d
   renewBefore: 360h  # 15d
+  ca:
+    duration: 87600h  # 10 years
+    renewBefore: 720h  # 30d
   externalCertificates:
     # This will avoid the need to use cert-manager and will rely on providing your own external certificates and CA
     # you will need to store your provided certificates in the secret read by the different services: