diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
index 8ecb46a..2751cb9 100644
--- a/.github/workflows/docker.yaml
+++ b/.github/workflows/docker.yaml
@@ -3,6 +3,7 @@ on:
   schedule:
     - cron: '0 10 * * *' # everyday at 10am
   push:
+    branches: master
     tags:
       - 'v*.*.*'
     paths:
@@ -29,7 +30,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v2
       - name: Set up Go 1.15
-        uses: actions/setup-go@v1
+        uses: actions/setup-go@v2
         with:
           go-version: '~1.15.0'
       - name: Setup Kubebuilder
@@ -73,6 +74,8 @@ jobs:
           tags: ${{ steps.prep.outputs.tags }}
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v1
+        with:
+          platforms: ${{ env.PLATFORMS }}
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v1
         with:
diff --git a/CHANGELOG.md b/CHANGELOG.md
index e7bdd9a..056a4be 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,9 +7,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 -->
 
 ## [Unreleased](https://github.com/itscontained/secret-manager/compare/v0.2.0...HEAD)
+- Fix double base64 encoding of secrets ([#59](https://github.com/itscontained/secret-manager/pull/59) [@devth](https://github.com/devth))
+- Fix incorrect service account token path for vault store authentication ([#66](https://github.com/itscontained/secret-manager/pull/66) [@huguesalary](https://github.com/huguesalary))
+- Fix nil pointer panic on an error during vault store authentication([#65](https://github.com/itscontained/secret-manager/pull/65) [@huguesalary](https://github.com/huguesalary))
 - Fix Vault API path for v1 secret engine ([#42](https://github.com/itscontained/secret-manager/pull/42) [@c35sys](https://github.com/c35sys))
 - Add E2E testing structure and tests for AWS Secret Manager ([#39](https://github.com/itscontained/secret-manager/pull/39) [@moolen](https://github.com/moolen))
 - Fix logging flag registration ([#46](https://github.com/itscontained/secret-manager/pull/46) [@mcavoyk](https://github.com/mcavoyk))
+- Change base docker image from `gcr.io/distroless/static` to `alpine:3.12` ([#67](https://github.com/itscontained/secret-manager/pull/67) [@mcavoyk](https://github.com/mcavoyk))
 
 ## [0.2.0](https://github.com/itscontained/secret-manager/compare/v0.1.0...v0.2.0) - 2020-09-17
 - Add GCP Secret Manager store backend ([#36](https://github.com/itscontained/secret-manager/pull/36) [@DirtyCajunRice](https://github.com/DirtyCajunRice))
diff --git a/Dockerfile b/Dockerfile
index 3bb96b9..ee74f63 100755
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,7 @@
 # Build the manager binary
-FROM golang:1.15.2-buster as builder
+ARG BUILDPLATFORM=linux/amd64
+ARG GO_VERSION=1.15.3
+FROM --platform=$BUILDPLATFORM golang:$GO_VERSION-buster as builder
 
 WORKDIR /workspace
 # Copy the Go Modules manifests
@@ -19,11 +21,14 @@ COPY build build/
 COPY .git .git/
 
 # Build
-RUN make build
+ARG ARCHS
+RUN make build-multiarch
+
+FROM alpine:3.12
+
+ARG TARGETOS=linux
+ARG TARGETARCH=amd64
 
-# Use distroless as minimal base image to package the manager binary
-# Refer to https://github.com/GoogleContainerTools/distroless for more details
-FROM gcr.io/distroless/static:nonroot-amd64
 WORKDIR /
 LABEL maintainer="DirtyCajunRice,mcavoyk" \
   org.opencontainers.image.created=$BUILD_DATE \
@@ -35,7 +40,10 @@ LABEL maintainer="DirtyCajunRice,mcavoyk" \
   org.opencontainers.image.title="secret-manager" \
   org.opencontainers.image.description="Secret Manager is a set of Kubernetes CRDs and controllers which define a common method of interacting with External SecretStores." \
   org.opencontainers.image.licenses="APACHE"
-COPY --from=builder /workspace/bin/manager .
-USER nonroot:nonroot
+COPY --from=builder "/workspace/bin/manager-$TARGETOS-$TARGETARCH" /manager
+
+# Run as UID for nobody since k8s pod securityContext runAsNonRoot can't resolve the user ID:
+# https://github.com/kubernetes/kubernetes/issues/40958
+USER 65534
 
 ENTRYPOINT ["/manager"]
diff --git a/Makefile b/Makefile
index d19092f..e44452f 100755
--- a/Makefile
+++ b/Makefile
@@ -1,7 +1,8 @@
-MAKEFLAGS += --warn-undefined-variables
-SHELL := /bin/bash
-.SHELLFLAGS := -euo pipefail -c
+MAKEFLAGS     += --warn-undefined-variables
+SHELL         := /bin/bash
+.SHELLFLAGS   := -euo pipefail -c
 .DEFAULT_GOAL := all
+ARCHS         ?= arm64 amd64 arm
 
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
@@ -24,7 +25,7 @@ IMG_TAG ?= ${GIT_TAG}
 IMG ?= itscontained/secret-manager:${IMG_TAG}
 HELM_DIR ?= deploy/charts/secret-manager
 
-DOCKER_BUILD_FLAGS =
+DOCKER_BUILD_FLAGS ?=
 
 all: docker-build
 
@@ -61,6 +62,11 @@ test: ## Run tests
 build: generate ## Build manager binary
 	CGO_ENABLED=0 go build -a -ldflags '$(LDFLAGS)' -o bin/manager ./cmd/controller/main.go
 
+build-multiarch: ## Build multi-arch manager binary
+	for arch in $(ARCHS); do \
+		CGO_ENABLED=0 GOOS=linux GOARCH=$${arch} go build -a -ldflags '$(LDFLAGS)' -o "bin/manager-linux-$${arch}" ./cmd/controller/main.go ;\
+	done ;\
+
 manifests: controller-gen ## Generate CRD manifests
 	$(CONTROLLER_GEN) "crd:crdVersions=v1" paths="./pkg/apis/..." output:crd:artifacts:config=deploy/crds
 	$(CONTROLLER_GEN) "crd:crdVersions=v1beta1,preserveUnknownFields=false" paths="./pkg/apis/..." output:crd:artifacts:config=deploy/crds/legacy
diff --git a/e2e/Dockerfile b/e2e/Dockerfile
index 688fc56..5845bcf 100644
--- a/e2e/Dockerfile
+++ b/e2e/Dockerfile
@@ -1,4 +1,5 @@
-FROM golang:1.15 as BASE
+ARG GO_VERSION=1.15.3
+FROM golang:$GO_VERSION-buster as builder
 
 ENV KUBECTL_VERSION="v1.19.2"
 ENV HELM_VERSION="v3.3.4"
@@ -18,9 +19,9 @@ RUN apk add -U --no-cache \
     libc6-compat \
     openssl
 
-COPY --from=BASE /go/bin/ginkgo /usr/local/bin/
-COPY --from=BASE /usr/local/bin/kubectl /usr/local/bin/
-COPY --from=BASE /usr/local/bin/helm /usr/local/bin/
+COPY --from=builder /go/bin/ginkgo /usr/local/bin/
+COPY --from=builder /usr/local/bin/kubectl /usr/local/bin/
+COPY --from=builder /usr/local/bin/helm /usr/local/bin/
 
 COPY entrypoint.sh                  /entrypoint.sh
 COPY e2e.test                       /e2e.test
diff --git a/e2e/Makefile b/e2e/Makefile
index a411f4d..cd49ad6 100644
--- a/e2e/Makefile
+++ b/e2e/Makefile
@@ -1,16 +1,21 @@
-IMG=secret-manager-e2e:test
+MAKEFLAGS += --warn-undefined-variables
+SHELL := /bin/bash
+.SHELLFLAGS := -euo pipefail -c
 
-start-kind:
+IMG_TAG=test
+IMG=itscontained/secret-manager-e2e:test
+
+start-kind: ## Start kind cluster
 	kind create cluster \
 	  --name secret-manager \
 	  --config kind.yaml \
 	  --retain \
 	  --image "kindest/node:v1.19.1"
 
-test: e2e-image
-	$(MAKE) -C ../ docker-build IMG=secret-manager:test
-	kind load docker-image --name="secret-manager" secret-manager:test
-	kind load docker-image --name="secret-manager" secret-manager-e2e:test
+test: e2e-image ## Run e2e tests against current kube context
+	$(MAKE) -C ../ docker-build IMG_TAG=$(IMG_TAG) DOCKER_BUILD_FLAGS="--build-arg ARCHS=amd64"
+	kind load docker-image --name="secret-manager" itscontained/secret-manager:$(IMG_TAG)
+	kind load docker-image --name="secret-manager" $(IMG)
 	./run.sh
 
 e2e-bin:
@@ -21,4 +26,9 @@ e2e-image: e2e-bin
 	mkdir -p k8s
 	$(MAKE) -C ../ crds-to-chart
 	cp -r ../deploy ./k8s
-	docker build -t ${IMG} .
+	docker build -t $(IMG) .
+
+help: ## displays this help message
+	@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_\/-]+:.*?## / {printf "\033[34m%-18s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST) | \
+		sort | \
+		grep -v '#'
diff --git a/e2e/tests/aws.go b/e2e/tests/aws.go
index 068f4d6..e21749c 100644
--- a/e2e/tests/aws.go
+++ b/e2e/tests/aws.go
@@ -121,8 +121,8 @@ var _ = ginkgo.Describe("[aws]", func() {
 			gomega.Expect(f.KubeClient.Get(context.Background(), key, fetchedSecret)).Should(gomega.Succeed())
 			return fetchedSecret.Data
 		}, framework.DefaultTimeout, framework.Poll).Should(gomega.Equal(map[string][]byte{
-			"username-from-aws": []byte(b64enc("bob")),
-			"password-from-aws": []byte(b64enc("abc123xyz456")),
+			"username-from-aws": []byte("bob"),
+			"password-from-aws": []byte("abc123xyz456"),
 		}), "The generated secret should be created")
 	})
 })
diff --git a/e2e/tests/common.go b/e2e/tests/common.go
deleted file mode 100644
index 1ce378f..0000000
--- a/e2e/tests/common.go
+++ /dev/null
@@ -1,23 +0,0 @@
-/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package tests
-
-import (
-	"encoding/base64"
-)
-
-func b64enc(str string) string {
-	return base64.StdEncoding.EncodeToString([]byte(str))
-}
diff --git a/pkg/apis/meta/v1/zz_generated.deepcopy.go b/pkg/apis/meta/v1/zz_generated.deepcopy.go
index fbb7300..af4d465 100755
--- a/pkg/apis/meta/v1/zz_generated.deepcopy.go
+++ b/pkg/apis/meta/v1/zz_generated.deepcopy.go
@@ -18,6 +18,8 @@ limitations under the License.
 
 package v1
 
+import ()
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Condition) DeepCopyInto(out *Condition) {
 	*out = *in