diff --git a/deploy/templates/app-deployment.yaml b/deploy/templates/app-deployment.yaml
index 3f9b5c2..8d28f98 100644
--- a/deploy/templates/app-deployment.yaml
+++ b/deploy/templates/app-deployment.yaml
@@ -36,8 +36,8 @@ spec:
               containerPort: {{ .Values.app.service.port }}
               protocol: TCP
           envFrom:
-            - configMapRef:
-                name: {{ include "gitdata.fullname" . }}-config
+            - secretRef:
+                name: {{ include "gitdata.fullname" . }}-secrets
             {{- range .Values.app.env }}
             - name: {{ .name }}
               value: {{ .value | quote }}
diff --git a/deploy/templates/email-worker-deployment.yaml b/deploy/templates/email-worker-deployment.yaml
index 9d42762..1787328 100644
--- a/deploy/templates/email-worker-deployment.yaml
+++ b/deploy/templates/email-worker-deployment.yaml
@@ -31,8 +31,8 @@ spec:
           image: "{{ .Values.image.registry }}/{{ .Values.emailWorker.image.repository }}:{{ .Values.emailWorker.image.tag }}"
           imagePullPolicy: {{ .Values.emailWorker.image.pullPolicy | default .Values.image.pullPolicy }}
           envFrom:
-            - configMapRef:
-                name: {{ include "gitdata.fullname" . }}-config
+            - secretRef:
+                name: {{ include "gitdata.fullname" . }}-secrets
             {{- range .Values.emailWorker.env }}
             - name: {{ .name }}
               value: {{ .value | quote }}
diff --git a/deploy/templates/git-hook-deployment.yaml b/deploy/templates/git-hook-deployment.yaml
index 05d5fbf..0cb0d9e 100644
--- a/deploy/templates/git-hook-deployment.yaml
+++ b/deploy/templates/git-hook-deployment.yaml
@@ -31,8 +31,8 @@ spec:
           image: "{{ .Values.image.registry }}/{{ .Values.gitHook.image.repository }}:{{ .Values.gitHook.image.tag }}"
           imagePullPolicy: {{ .Values.gitHook.image.pullPolicy | default .Values.image.pullPolicy }}
           envFrom:
-            - configMapRef:
-                name: {{ include "gitdata.fullname" . }}-config
+            - secretRef:
+                name: {{ include "gitdata.fullname" . }}-secrets
             {{- range .Values.gitHook.env }}
             - name: {{ .name }}
               value: {{ .value | quote }}
diff --git a/deploy/templates/gitserver-deployment.yaml b/deploy/templates/gitserver-deployment.yaml
index 2d766cc..5b5fe3f 100644
--- a/deploy/templates/gitserver-deployment.yaml
+++ b/deploy/templates/gitserver-deployment.yaml
@@ -45,8 +45,8 @@ spec:
               containerPort: {{ $svc.service.ssh.port }}
               protocol: TCP
           envFrom:
-            - configMapRef:
-                name: {{ $fullName }}-config
+            - secretRef:
+                name: {{ $fullName }}-secrets
           env:
             - name: APP_REPOS_ROOT
               value: /data/repos
diff --git a/deploy/templates/operator-deployment.yaml b/deploy/templates/operator-deployment.yaml
index 5555cfc..1319a81 100644
--- a/deploy/templates/operator-deployment.yaml
+++ b/deploy/templates/operator-deployment.yaml
@@ -30,8 +30,8 @@ spec:
           image: "{{ .Values.image.registry }}/{{ .Values.operator.image.repository }}:{{ .Values.operator.image.tag }}"
           imagePullPolicy: {{ .Values.operator.image.pullPolicy | default .Values.image.pullPolicy }}
           envFrom:
-            - configMapRef:
-                name: {{ include "gitdata.fullname" . }}-config
+            - secretRef:
+                name: {{ include "gitdata.fullname" . }}-secrets
           env:
             - name: OPERATOR_IMAGE_PREFIX
               value: {{ .Values.operator.imagePrefix | default (printf "%s/" (include "gitdata.fullname" .)) | quote }}
diff --git a/deploy/templates/secret.yaml b/deploy/templates/secret.yaml
index 0f797ae..4d1d03d 100644
--- a/deploy/templates/secret.yaml
+++ b/deploy/templates/secret.yaml
@@ -9,7 +9,9 @@
 */ -}}
 
 {{- $secrets := .Values.secrets | default dict -}}
-{{- if $secrets.create -}}
+{{- /* Always render Secret (helm.sh/resource-policy: keep prevents deletion on upgrade) */ -}}
+{{- /* Set secrets.enabled: false to disable */ -}}
+{{- if ne $secrets.enabled false -}}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -57,6 +59,12 @@ stringData:
   {{- if $secrets.sshDomain }}
   APP_SSH_DOMAIN: {{ $secrets.sshDomain | quote }}
   {{- end }}
+  {{- if $secrets.sshPort }}
+  APP_SSH_PORT: {{ $secrets.sshPort | quote }}
+  {{- end }}
+  {{- if $secrets.sshServerPrivateKey }}
+  APP_SSH_SERVER_PRIVATE_KEY: {{ $secrets.sshServerPrivateKey | quote }}
+  {{- end }}
   {{- range $key, $value := $secrets.extra | default dict }}
   {{ $key }}: {{ $value | quote }}
   {{- end }}
diff --git a/deploy/templates/static-deployment.yaml b/deploy/templates/static-deployment.yaml
index 062ef9a..3cdf841 100644
--- a/deploy/templates/static-deployment.yaml
+++ b/deploy/templates/static-deployment.yaml
@@ -41,8 +41,8 @@ spec:
               containerPort: {{ $svc.service.port }}
               protocol: TCP
           envFrom:
-            - configMapRef:
-                name: {{ $fullName }}-config
+            - secretRef:
+                name: {{ $fullName }}-secrets
           env:
             - name: STATIC_ROOT
               value: /data