diff --git a/.renovate/groups.json5 b/.renovate/groups.json5
index 3d3c0be0..86d6e241 100644
--- a/.renovate/groups.json5
+++ b/.renovate/groups.json5
@@ -39,7 +39,9 @@
         "commitMessageTopic": "{{{groupName}}} group"
       },
       "separateMultipleMajor": true,
-      "separateMinorPatch": true
+      "separateMinorPatch": true,
+      // TODO: Helm chart uses separate key for digests, which Renovate seems to not recognize? maybe patching the image would be better?
+      "pinDigests": false
     },
     {
       "description": "Auto merge Github Actions",
diff --git a/kube/templates/authentik-test.yaml b/archive/kube/authentik-renovate-cve-test.yaml
similarity index 100%
rename from kube/templates/authentik-test.yaml
rename to archive/kube/authentik-renovate-cve-test.yaml
diff --git a/kube/deploy/apps/authentik/app/hr.yaml b/kube/deploy/apps/authentik/app/hr.yaml
index 65294ed2..8ee456fc 100644
--- a/kube/deploy/apps/authentik/app/hr.yaml
+++ b/kube/deploy/apps/authentik/app/hr.yaml
@@ -17,7 +17,7 @@ spec:
     image:
       repository: "ghcr.io/goauthentik/server"
       tag: "2023.10.7" # specify image tag for Renovate to pull changelogs & security info, and for security releases without a chart release
-      digest: "sha256:8ebdd51a95d3efdcb0cf3b26ed849cc0f9a8c032adb8cd595cabb59a1f321161" # TODO: apparently Renovate doesn't see this as a digest?
+      #digest: "sha256:8ebdd51a95d3efdcb0cf3b26ed849cc0f9a8c032adb8cd595cabb59a1f321161" # TODO: apparently Renovate doesn't see this as a digest?
       pullPolicy: IfNotPresent 
     # server is in active-active, 3 replicas seems to confuse authentik
     replicas: 2