diff --git a/charts/drone/Chart.yaml b/charts/drone/Chart.yaml
index 7557939..9f43215 100644
--- a/charts/drone/Chart.yaml
+++ b/charts/drone/Chart.yaml
@@ -14,4 +14,7 @@ dependencies:
   - name: drone-runner-docker
     repository: https://charts.drone.io
     version: "0.6.1"
-    alias: drone-runner
\ No newline at end of file
+    alias: drone-runner
+  - name: drone-kubernetes-secrets
+    repository: https://charts.drone.io
+    version: "0.1.4"
diff --git a/charts/drone/templates/kubernetes_secrets_secret.yaml b/charts/drone/templates/kubernetes_secrets_secret.yaml
new file mode 100644
index 0000000..db27f14
--- /dev/null
+++ b/charts/drone/templates/kubernetes_secrets_secret.yaml
@@ -0,0 +1,22 @@
+{{- /*
+      https://itnext.io/manage-auto-generated-secrets-in-your-helm-charts-5aee48ba6918
+  */}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "kubernetes-secrets-secret"
+  annotations:
+    "helm.sh/resource-policy": "keep"
+type: Opaque
+data:
+  # retrieve the secret data using lookup function and when not exists, return an empty dictionary / map as result
+  {{- $existing_secret := (lookup "v1" "Secret" .Release.Namespace "kubernetes-secrets-secret") | default dict }}
+  {{- $secretData := (get $existing_secret "data") | default dict }}
+  # set $secret to existing secret data or generate a random one when not exists
+  {{- $secret := (get $secretData "secret") | default (randAlphaNum 32 | b64enc) }}
+  # generate 32 chars long random string, base64 encode it and then double-quote the result string.
+  SECRET_KEY: {{ $secret | quote }}
+  # Duplicate the secret-value with a different key so that it can be mounted into the environment of a pod which
+  # required a different name (to the best of my knowledge, there's no way to mount a secret as an env variable but
+  # transform the key)
+  DRONE_SECRET_PLUGIN_TOKEN: {{ $secret | quote }}
diff --git a/charts/drone/values.yaml b/charts/drone/values.yaml
index 6aaea21..fa486e1 100644
--- a/charts/drone/values.yaml
+++ b/charts/drone/values.yaml
@@ -22,6 +22,9 @@ drone-runner:
     DRONE_RPC_SECRET: rpc-secret
     DRONE_RPC_HOST: drone-drone-server:3500 # This is the name of the service for the runner
     DRONE_RUNNER_NETWORK_OPTS: "com.docker.network.driver.mtu:1450"
+    DRONE_SECRET_PLUGIN_ENDPOINT: "http://drone-drone-kubernetes-secrets:3000"
+  extraSecretNamesForEnvFrom:
+    - kubernetes-secrets-secret
   dind:
     commandArgs:
       - "--host"
@@ -42,6 +45,14 @@ drone-runner:
             values:
               - rasnu2
 
+drone-kubernetes-secrets:
+  rbac:
+    secretNamespace: drone
+  env:
+    KUBERNETES_NAMESPACE: drone
+  extraSecretNamesForEnvFrom:
+    - kubernetes-secrets-secret
+
 drone:
   server: "drone.scubbo.org"