diff --git a/kubernetes/chart/zulip/templates/NOTES.txt b/kubernetes/chart/zulip/templates/NOTES.txt
index 39aad86919..90067fd0d8 100644
--- a/kubernetes/chart/zulip/templates/NOTES.txt
+++ b/kubernetes/chart/zulip/templates/NOTES.txt
@@ -1,7 +1,7 @@
 1. To create a realm so you can sign in:
 
   export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ template "zulip.name" . }}" -o jsonpath="{.items[0].metadata.name}")
-  kubectl -n {{ .Release.Namespace }} exec -it "$POD_NAME" -c zulip -- sudo -u zulip /home/zulip/deployments/current/manage.py generate_realm_creation_link
+  kubectl -n {{ .Release.Namespace }} exec -it "$POD_NAME" -c zulip -- sudo -Eu zulip /home/zulip/deployments/current/manage.py generate_realm_creation_link
 
 2. Zulip will be available on:
 
diff --git a/kubernetes/chart/zulip/templates/_helpers.tpl b/kubernetes/chart/zulip/templates/_helpers.tpl
index 39cd659d0b..ee8fcd043b 100644
--- a/kubernetes/chart/zulip/templates/_helpers.tpl
+++ b/kubernetes/chart/zulip/templates/_helpers.tpl
@@ -78,16 +78,26 @@ include all env variables for Zulip pods
   value: "{{ template "common.names.fullname" .Subcharts.rabbitmq }}"
 - name: SETTING_REDIS_HOST
   value: "{{ template "common.names.fullname" .Subcharts.redis }}-headless"
+{{- if .Values.rabbitmq.auth.password }}
 - name: SECRETS_rabbitmq_password
   value: "{{ .Values.rabbitmq.auth.password }}"
+{{- end }}
+{{- if .Values.postgresql.auth.password }}
 - name: SECRETS_postgres_password
   value: "{{ .Values.postgresql.auth.password }}"
+{{- end }}
+{{- if .Values.memcached.memcachedPassword }}
 - name: SECRETS_memcached_password
   value: "{{ .Values.memcached.memcachedPassword }}"
+{{- end }}
+{{- if .Values.redis.auth.password }}
 - name: SECRETS_redis_password
   value: "{{ .Values.redis.auth.password }}"
+{{- end }}
+{{- if .Values.zulip.password }}
 - name: SECRETS_secret_key
   value: "{{ .Values.zulip.password }}"
+{{- end }}
 {{- range $key, $value := .Values.zulip.environment }}
 - name: {{ $key }}
   value: {{ $value | quote }}
diff --git a/kubernetes/chart/zulip/templates/statefulset.yaml b/kubernetes/chart/zulip/templates/statefulset.yaml
index dea51642fa..c9981d0c1b 100644
--- a/kubernetes/chart/zulip/templates/statefulset.yaml
+++ b/kubernetes/chart/zulip/templates/statefulset.yaml
@@ -57,6 +57,11 @@ spec:
               mountPath: /data/post-setup.d
           env:
             {{ include "zulip.env" . | nindent 12 }}
+          {{- if .Values.zulip.secretEnvironment }}
+          envFrom:
+            - secretRef:
+                name: {{ .Values.zulip.secretEnvironment }}
+          {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
           {{- if .Values.livenessProbe.enabled }}
diff --git a/kubernetes/chart/zulip/values.yaml b/kubernetes/chart/zulip/values.yaml
index cfa8f0b9a8..d7af17895b 100644
--- a/kubernetes/chart/zulip/values.yaml
+++ b/kubernetes/chart/zulip/values.yaml
@@ -145,6 +145,8 @@ zulip:
     SETTING_EMAIL_USE_SSL: "False"
     SETTING_EMAIL_USE_TLS: "True"
     ZULIP_AUTH_BACKENDS: "EmailAuthBackend"
+  ## An existing secret from which populate environment variablgwes.
+  secretEnvironment: ""
   ## If `persistence.existingClaim` is not set, a PVC (Persistent
   ## Volume Claim) is generated with these specifications.
   persistence: