diff --git a/docs/parameter_reference.md b/docs/parameter_reference.md
index 1379ba5..773ca9f 100644
--- a/docs/parameter_reference.md
+++ b/docs/parameter_reference.md
@@ -6,6 +6,7 @@
 | mode                | string          | helm_command | Indicates the operation to perform. Recommended, but not required. Valid options are `upgrade`, `uninstall`, `lint`, and `help`. |
 | update_dependencies | boolean         |              | Calls `helm dependency update` before running the main command.|
 | add_repos           | list\<string\>  | helm_repos   | Calls `helm repo add $repo` before running the main command. Each string should be formatted as `repo_name=https://repo.url/`. |
+| repo_ca_file        | string          |              | TLS certificate for a chart repository certificate authority. |
 | namespace           | string          |              | Kubernetes namespace to use for this operation. |
 | debug               | boolean         |              | Generate debug output within drone-helm3 and pass `--debug` to all helm commands. Use with care, since the debug output may include secrets. |
 
diff --git a/internal/env/config.go b/internal/env/config.go
index aa853c0..dad997a 100644
--- a/internal/env/config.go
+++ b/internal/env/config.go
@@ -21,16 +21,17 @@ var (
 type Config struct {
 	// Configuration for drone-helm itself
 	Command            string   `envconfig:"mode"`                   // Helm command to run
-	DroneEvent         string   `envconfig:"DRONE_BUILD_EVENT"`      // Drone event that invoked this plugin.
+	DroneEvent         string   `envconfig:"drone_build_event"`      // Drone event that invoked this plugin.
 	UpdateDependencies bool     `split_words:"true"`                 // Call `helm dependency update` before the main command
 	AddRepos           []string `split_words:"true"`                 // Call `helm repo add` before the main command
+	RepoCAFile         string   `envconfig:"repo_ca_file"`           // CA certificate for `helm repo add`
 	Debug              bool     ``                                   // Generate debug output and pass --debug to all helm commands
 	Values             string   ``                                   // Argument to pass to --set in applicable helm commands
 	StringValues       string   `split_words:"true"`                 // Argument to pass to --set-string in applicable helm commands
 	ValuesFiles        []string `split_words:"true"`                 // Arguments to pass to --values in applicable helm commands
 	Namespace          string   ``                                   // Kubernetes namespace for all helm commands
 	KubeToken          string   `split_words:"true"`                 // Kubernetes authentication token to put in .kube/config
-	SkipTLSVerify      bool     `envconfig:"SKIP_TLS_VERIFY"`        // Put insecure-skip-tls-verify in .kube/config
+	SkipTLSVerify      bool     `envconfig:"skip_tls_verify"`        // Put insecure-skip-tls-verify in .kube/config
 	Certificate        string   `envconfig:"kube_certificate"`       // The Kubernetes cluster CA's self-signed certificate (must be base64-encoded)
 	APIServer          string   `envconfig:"kube_api_server"`        // The Kubernetes cluster's API endpoint
 	ServiceAccount     string   `envconfig:"kube_service_account"`   // Account to use for connecting to the Kubernetes cluster
@@ -44,7 +45,7 @@ type Config struct {
 	Release            string   ``                                   // Release argument to use in applicable helm commands
 	Force              bool     `envconfig:"force_upgrade"`          // Pass --force to applicable helm commands
 	AtomicUpgrade      bool     `split_words:"true"`                 // Pass --atomic to `helm upgrade`
-	CleanupOnFail      bool     `envconfig:"CLEANUP_FAILED_UPGRADE"` // Pass --cleanup-on-fail to `helm upgrade`
+	CleanupOnFail      bool     `envconfig:"cleanup_failed_upgrade"` // Pass --cleanup-on-fail to `helm upgrade`
 	LintStrictly       bool     `split_words:"true"`                 // Pass --strict to `helm lint`
 
 	Stdout io.Writer `ignored:"true"`
diff --git a/internal/run/addrepo.go b/internal/run/addrepo.go
index 5ff7a6e..cfb87c2 100644
--- a/internal/run/addrepo.go
+++ b/internal/run/addrepo.go
@@ -9,8 +9,9 @@ import (
 // AddRepo is an execution step that calls `helm repo add` when executed.
 type AddRepo struct {
 	*config
-	repo string
-	cmd  cmd
+	repo   string
+	caFile string
+	cmd    cmd
 }
 
 // NewAddRepo creates an AddRepo for the given repo-spec. No validation is performed at this time.
@@ -18,6 +19,7 @@ func NewAddRepo(cfg env.Config, repo string) *AddRepo {
 	return &AddRepo{
 		config: newConfig(cfg),
 		repo:   repo,
+		caFile: cfg.RepoCAFile,
 	}
 }
 
@@ -40,7 +42,11 @@ func (a *AddRepo) Prepare() error {
 	url := split[1]
 
 	args := a.globalFlags()
-	args = append(args, "repo", "add", name, url)
+	args = append(args, "repo", "add")
+	if a.caFile != "" {
+		args = append(args, "--ca-file", a.caFile)
+	}
+	args = append(args, name, url)
 
 	a.cmd = command(helmBin, args...)
 	a.cmd.Stdout(a.stdout)
diff --git a/internal/run/addrepo_test.go b/internal/run/addrepo_test.go
index 4760d45..6633981 100644
--- a/internal/run/addrepo_test.go
+++ b/internal/run/addrepo_test.go
@@ -96,3 +96,15 @@ func (suite *AddRepoTestSuite) TestPrepareWithEqualSignInURL() {
 	suite.NoError(a.Prepare())
 	suite.Contains(suite.commandArgs, "https://github.com/arthur_claypool/samaritan?version=2.1")
 }
+
+func (suite *AddRepoTestSuite) TestRepoAddFlags() {
+	suite.mockCmd.EXPECT().Stdout(gomock.Any()).AnyTimes()
+	suite.mockCmd.EXPECT().Stderr(gomock.Any()).AnyTimes()
+	cfg := env.Config{
+		RepoCAFile: "./helm/reporepo.cert",
+	}
+	a := NewAddRepo(cfg, "machine=https://github.com/harold_finch/themachine")
+	suite.NoError(a.Prepare())
+	suite.Equal([]string{"repo", "add", "--ca-file", "./helm/reporepo.cert",
+		"machine", "https://github.com/harold_finch/themachine"}, suite.commandArgs)
+}
diff --git a/internal/run/upgrade.go b/internal/run/upgrade.go
index 5995200..80ccac4 100644
--- a/internal/run/upgrade.go
+++ b/internal/run/upgrade.go
@@ -22,6 +22,7 @@ type Upgrade struct {
 	force         bool
 	atomic        bool
 	cleanupOnFail bool
+	caFile        string
 
 	cmd cmd
 }
@@ -43,6 +44,7 @@ func NewUpgrade(cfg env.Config) *Upgrade {
 		force:         cfg.Force,
 		atomic:        cfg.AtomicUpgrade,
 		cleanupOnFail: cfg.CleanupOnFail,
+		caFile:        cfg.RepoCAFile,
 	}
 }
 
@@ -96,6 +98,9 @@ func (u *Upgrade) Prepare() error {
 	for _, vFile := range u.valuesFiles {
 		args = append(args, "--values", vFile)
 	}
+	if u.caFile != "" {
+		args = append(args, "--ca-file", u.caFile)
+	}
 
 	args = append(args, u.release, u.chart)
 	u.cmd = command(helmBin, args...)
diff --git a/internal/run/upgrade_test.go b/internal/run/upgrade_test.go
index a73b062..770a15e 100644
--- a/internal/run/upgrade_test.go
+++ b/internal/run/upgrade_test.go
@@ -136,6 +136,7 @@ func (suite *UpgradeTestSuite) TestPrepareWithUpgradeFlags() {
 		Force:         true,
 		AtomicUpgrade: true,
 		CleanupOnFail: true,
+		RepoCAFile:    "local_ca.cert",
 	}
 	u := NewUpgrade(cfg)
 
@@ -154,6 +155,7 @@ func (suite *UpgradeTestSuite) TestPrepareWithUpgradeFlags() {
 			"--set-string", "height=5ft10in",
 			"--values", "/usr/local/stats",
 			"--values", "/usr/local/grades",
+			"--ca-file", "local_ca.cert",
 			"maroon_5_memories", "hot_ac"}, args)
 
 		return suite.mockCmd