diff --git a/CHANGELOG.md b/CHANGELOG.md
index cf9a2b2d36e50bee2cd9f93966a25cdd77c109c4..bdd2d9045c710c9c9a5a45b0de7f932f142ff7f2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 ---
 
+## [0.1.3-bb.0] - 2021-04-08
+### Added
+- Values passthroughs for secret env values
+- Moved all envs to a secret that chart creates
+
 ## [0.1.2-bb.0] - 2021-04-05
 ### Changed
 - Modified the way affinity is passed to simplify and standardize
diff --git a/chart/Chart.yaml b/chart/Chart.yaml
index 3bf84af5fb016d0a65cb1dcf80866947821e9858..797db350e5d31b04a568fba50555471ed893ac6b 100644
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
@@ -2,7 +2,7 @@
 apiVersion: v2
 name: mattermost
 type: application
-version: "0.1.2-bb.0"
+version: "0.1.3-bb.0"
 appVersion: "5.32.1"
 description: "Deployment of mattermost"
 keywords: 
diff --git a/chart/templates/env-secret.yaml b/chart/templates/env-secret.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..792de57b75b77960d6927e589d70cc04c0260d37
--- /dev/null
+++ b/chart/templates/env-secret.yaml
@@ -0,0 +1,28 @@
+{{- if or .Values.mattermostEnvs .Values.sso.enabled .Values.minio.install }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mattermost-envs
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{ include "mattermost.labels" . | nindent 4 }}
+    app.kubernetes.io/component: "envs"
+  annotations:
+    "helm.sh/hook": "pre-install,pre-upgrade"
+type: Opaque
+stringData:
+  {{- if .Values.mattermostEnvs }}
+  {{ tpl (toYaml .Values.mattermostEnvs) . | nindent 2}}
+  {{- end }}
+  {{- if .Values.sso.enabled }}
+  MM_GITLABSETTINGS_ENABLE: "{{ .Values.sso.enabled }}"
+  MM_GITLABSETTINGS_ID: "{{ .Values.sso.client_id }}"
+  MM_GITLABSETTINGS_SECRET: "{{ .Values.sso.client_secret }}"
+  MM_GITLABSETTINGS_AUTHENDPOINT: "{{ .Values.sso.auth_endpoint }}"
+  MM_GITLABSETTINGS_TOKENENDPOINT: "{{ .Values.sso.token_endpoint }}"
+  MM_GITLABSETTINGS_USERAPIENDPOINT: "{{ .Values.sso.user_api_endpoint }}"
+  {{- end }}
+  {{- if .Values.minio.install }}
+  MM_FILESETTINGS_AMAZONS3SSL: "false"
+  {{- end }}
+{{- end }}
diff --git a/chart/templates/mattermost.yaml b/chart/templates/mattermost.yaml
index aeb23f670945eb10ab9737050293b38c43708b45..d625eb4c413e077ff7d81ae4f21ccb4373067deb 100644
--- a/chart/templates/mattermost.yaml
+++ b/chart/templates/mattermost.yaml
@@ -24,29 +24,56 @@ spec:
   licenseSecret: "mattermost-license"
   {{- end }}
 
-  {{- if or .Values.mattermostEnvs .Values.sso.enabled .Values.minio.install }}
+  {{- if or .Values.mattermostEnvs .Values.sso.enabled .Values.minio.install .Values.existingSecretEnvs }}
   mattermostEnv:
   {{- range $k, $v := .Values.mattermostEnvs }}
   - name: {{ $k }}
-    value: {{ $v | quote }}
+    valueFrom:
+      secretKeyRef:
+        key: {{ $k }}
+        name: "mattermost-envs"
   {{- end }}
   {{- if .Values.sso.enabled }}
   - name: MM_GITLABSETTINGS_ENABLE
-    value: "{{ .Values.sso.enabled }}"
+    valueFrom:
+      secretKeyRef:
+        key: MM_GITLABSETTINGS_ENABLE
+        name: "mattermost-envs"
   - name: MM_GITLABSETTINGS_ID
-    value: "{{ .Values.sso.client_id }}"
+    valueFrom:
+      secretKeyRef:
+        key: MM_GITLABSETTINGS_ID
+        name: "mattermost-envs"
   - name: MM_GITLABSETTINGS_SECRET
-    value: "{{ .Values.sso.client_secret }}"
+    valueFrom:
+      secretKeyRef:
+        key: MM_GITLABSETTINGS_SECRET
+        name: "mattermost-envs"
   - name: MM_GITLABSETTINGS_AUTHENDPOINT
-    value: "{{ .Values.sso.auth_endpoint }}"
+    valueFrom:
+      secretKeyRef:
+        key: MM_GITLABSETTINGS_AUTHENDPOINT
+        name: "mattermost-envs"
   - name: MM_GITLABSETTINGS_TOKENENDPOINT
-    value: "{{ .Values.sso.token_endpoint }}"
+    valueFrom:
+      secretKeyRef:
+        key: MM_GITLABSETTINGS_TOKENENDPOINT
+        name: "mattermost-envs"
   - name: MM_GITLABSETTINGS_USERAPIENDPOINT
-    value: "{{ .Values.sso.user_api_endpoint }}"
+    valueFrom:
+      secretKeyRef:
+        key: MM_GITLABSETTINGS_USERAPIENDPOINT
+        name: "mattermost-envs"
   {{- end }}
   {{- if .Values.minio.install }}
   - name: MM_FILESETTINGS_AMAZONS3SSL
-    value: "false"
+    valueFrom:
+      secretKeyRef:
+        key: MM_FILESETTINGS_AMAZONS3SSL
+        name: "mattermost-envs"
+  {{- end }}
+  {{- range .Values.existingSecretEnvs }}
+  - {{ tpl (toYaml .) $ | nindent 4 }}
   {{- end }}
   {{- end }}
 
diff --git a/chart/values.yaml b/chart/values.yaml
index b84e400956d4f084bb1edf8bd142a6ac30a1e101..10f87f41ec6f7c731f47f17bb1a16253f91564e1 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -77,7 +77,23 @@ affinity: {}
 nodeSelector: {}
   # node-type: mattermost
 
+# Any ENVs provided here get put into a `mattermost-envs` secret and pulled into the env
 mattermostEnvs: {}
+  # MM_ENV_NAME: "{{ .Values.users }}"
+  # ANOTHER_ENV_NAME: "anothervalue"
+
+# Use this to point to pull in ENV values from existing secrets
+existingSecretEnvs: {}
+  # - name: MM_SQLSETTINGS_DATASOURCEREPLICAS
+  #   valueFrom:
+  #     secretKeyRef:
+  #       key: READER_DB_CONNECTION_STRING
+  #       name: '{{ .Values.database.secret | default (printf "%s-dbcreds" (include "mattermost.fullname" .)) }}'
+  # - name: MM_ANOTHER_VAR
+  #   valueFrom:
+  #     secretKeyRef:
+  #       key: DB_CONNECTION_CHECK_URL
+  #       name: "mysecretname"
 
 minio:
   install: false