diff --git a/fluentd/templates/deployment-fluentd.yaml b/fluentd/templates/deployment-fluentd.yaml
index 167f7f927..adbe1a1f3 100644
--- a/fluentd/templates/deployment-fluentd.yaml
+++ b/fluentd/templates/deployment-fluentd.yaml
@@ -157,8 +157,11 @@ spec:
               value: {{ tuple "elasticsearch" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
             - name: KAFKA_BROKER
               value: {{ $kafkaBrokerURI }}
-{{- if .Values.pod.env.fluentd }}
-{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.pod.env.fluentd | indent 12 }}
+{{- if .Values.pod.env.fluentd.vars }}
+{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.pod.env.fluentd.vars | indent 12 }}
+{{- end }}
+{{- if .Values.pod.env.fluentd.secrets }}
+{{ tuple $envAll .Values.pod.env.fluentd.secrets | include "helm-toolkit.utils.to_k8s_env_secret_vars" | indent 12 }}
 {{- end }}
             - name: ELASTICSEARCH_USERNAME
               valueFrom:
@@ -216,6 +219,12 @@ spec:
 {{- end }}
         - name: pod-etc-fluentd
           emptyDir: {}
+{{ if and (.Values.manifests.secret_fluentd_env) (.Values.pod.env.fluentd.secrets) }}
+        - name: {{ printf "%s-%s" $envAll.Release.Name "env-secret" | quote }}
+          secret:
+            secretName: {{ printf "%s-%s" $envAll.Release.Name "env-secret" | quote }}
+            defaultMode: 0444
+{{- end }}
         - name: fluentd-etc
           secret:
             secretName: {{ printf "%s-%s" $envAll.Release.Name "fluentd-etc" | quote }}
diff --git a/fluentd/templates/secret-fluentd.yaml b/fluentd/templates/secret-fluentd.yaml
new file mode 100644
index 000000000..9e8c183b4
--- /dev/null
+++ b/fluentd/templates/secret-fluentd.yaml
@@ -0,0 +1,29 @@
+{{/*
+Copyright 2019 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and (.Values.manifests.secret_fluentd_env) (.Values.pod.env.fluentd.secrets) }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ printf "%s-%s" $envAll.Release.Name "env-secret" | quote }}
+type: Opaque
+data:
+  {{ range $key, $value := .Values.pod.env.fluentd.secrets }}
+  {{$key | upper}}: {{ $value | b64enc }}
+  {{- end }}
+{{- end }}
diff --git a/fluentd/values.yaml b/fluentd/values.yaml
index aab965778..564239caf 100644
--- a/fluentd/values.yaml
+++ b/fluentd/values.yaml
@@ -407,7 +407,9 @@ network_policy:
 
 pod:
   env:
-    fluentd: null
+    fluentd:
+      vars: null
+      secrets: null
   tolerations:
     fluentd:
       enabled: false
@@ -489,5 +491,6 @@ manifests:
       service_exporter: true
   network_policy: false
   secret_elasticsearch: true
+  secret_fluentd_env: true
   secret_kafka: false
   service_fluentd: true
diff --git a/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl b/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
new file mode 100644
index 000000000..1c56fb27d
--- /dev/null
+++ b/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
@@ -0,0 +1,48 @@
+{{/*
+Copyright 2019 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns yaml formatted to be used in k8s templates as container
+  env vars injected via secrets. This requires a secret-<chartname> template to
+  be defined in the chart that can be used to house the desired secret
+  variables. For reference, see the fluentd chart.
+values: |
+  test:
+    secrets:
+      foo: bar
+
+usage: |
+  {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+  - name: foo
+    valueFrom:
+      secretKeyRef:
+        name: "my-release-name-env-secret"
+        key: foo
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}}
+{{- $context := index . 0 -}}
+{{- $secrets := index . 1 -}}
+{{ range $key, $config := $secrets -}}
+- name: {{ $key }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ printf "%s-%s" $context.Release.Name "env-secret" | quote }}
+      key: {{ $key }}
+{{ end -}}
+{{- end -}}
diff --git a/tools/deployment/common/fluentd-daemonset.sh b/tools/deployment/common/fluentd-daemonset.sh
index 102bb8bbc..432120d41 100755
--- a/tools/deployment/common/fluentd-daemonset.sh
+++ b/tools/deployment/common/fluentd-daemonset.sh
@@ -31,11 +31,16 @@ monitoring:
   prometheus:
     enabled: true
 pod:
+  env:
+    fluentd:
+      vars:
+        MY_TEST_VAR: FOO
+      secrets:
+        MY_TEST_SECRET: BAR
   security_context:
     fluentd:
       pod:
         runAsUser: 0
-
 deployment:
   type: DaemonSet
 conf: