diff --git a/charts/ziti-controller/templates/ca-router-ctrl-identity.yaml b/charts/ziti-controller/templates/ca-router-ctrl-identity.yaml
index 6504339a..5e560226 100644
--- a/charts/ziti-controller/templates/ca-router-ctrl-identity.yaml
+++ b/charts/ziti-controller/templates/ca-router-ctrl-identity.yaml
@@ -2,7 +2,7 @@
 # CA to issue the controller's router control plane identity. This CA issues the
 # server certificate that is presented by the controller to routers when they
 # connect to the controller's "ctrl" endpoint, i.e. the router control plane. The
-# same server certificate is re-used as a default identity if an alternative
+# same server certificate is reused as a default identity if an alternative
 # identity is not configured for a particular server TLS binding, e.g., web
 # binding for the client API.
 ######
diff --git a/charts/ziti-router/Chart.yaml b/charts/ziti-router/Chart.yaml
index b11bc7dd..abe1e7e6 100644
--- a/charts/ziti-router/Chart.yaml
+++ b/charts/ziti-router/Chart.yaml
@@ -3,4 +3,4 @@ appVersion: 1.1.16
 description: Host an OpenZiti router in Kubernetes
 name: ziti-router
 type: application
-version: 1.1.4
+version: 1.1.5
diff --git a/charts/ziti-router/README.md b/charts/ziti-router/README.md
index 286d7c95..3f0285fa 100644
--- a/charts/ziti-router/README.md
+++ b/charts/ziti-router/README.md
@@ -1,7 +1,7 @@
 <!-- README.md generated by helm-docs from README.md.gotmpl -->
 # ziti-router
 
-![Version: 1.1.4](https://img.shields.io/badge/Version-1.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.1.16](https://img.shields.io/badge/AppVersion-1.1.16-informational?style=flat-square)
+![Version: 1.1.5](https://img.shields.io/badge/Version-1.1.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.1.16](https://img.shields.io/badge/AppVersion-1.1.16-informational?style=flat-square)
 
 Host an OpenZiti router in Kubernetes
 
@@ -267,6 +267,8 @@ identity:
 | edge.service.labels | object | `{}` | service labels |
 | edge.service.type | string | `"ClusterIP"` | expose the service as a ClusterIP, NodePort, or LoadBalancer; default is ClusterIP, but you could use NodePort or LoadBalancer instead of an ingress controller |
 | enrollmentJwt | string | `nil` | enrollment one time token from the controller's management API |
+| enrollmentJwtFromSecret | bool | `false` | allow for using a secret to specify the enrollment token instead of using the enrollmentJwt field if enabled, setting the enrollment token on the enrollmentJwt field has no effect |
+| enrollmentJwtSecretName | string | `""` | set the enrollment jwt from a secret The enrollment token secret must be of the following format: apiVersion: v1 kind: Secret metadata:   name: myEnrollmentJwtSecret type: Opaque data:   enrollmentJwt: |
 | env | object | `{}` | assign key=value in pod environment |
 | execMountDir | string | `"/usr/local/bin"` | read-only mountpoint for executables (must be in image's executable search PATH) |
 | fabric.metrics.enabled | bool | `false` | configure fabric metrics in the router config |
diff --git a/charts/ziti-router/templates/deployment.yaml b/charts/ziti-router/templates/deployment.yaml
index e107948f..1aa41f4d 100644
--- a/charts/ziti-router/templates/deployment.yaml
+++ b/charts/ziti-router/templates/deployment.yaml
@@ -59,7 +59,14 @@ spec:
             {{- end }}
           env:
             - name: ZITI_ENROLL_TOKEN
+              {{- if .Values.enrollmentJwtFromSecret }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ required (printf "You must set an enrollmentJwtSecretName, when using enrollmentJwtFromSecret. Try setting --set enrollmentJwtSecretName=myEnrollmentJwtSecret") .Values.enrollmentJwtSecretName }}
+                  key: enrollmentJwt
+              {{- else }}
               value: {{ .Values.enrollmentJwt | quote }}
+              {{- end }}
             # must be true or enroll() will not be called
             - name: ZITI_BOOTSTRAP
               value: "true"
diff --git a/charts/ziti-router/values.yaml b/charts/ziti-router/values.yaml
index ad0e697d..c3e86b4d 100644
--- a/charts/ziti-router/values.yaml
+++ b/charts/ziti-router/values.yaml
@@ -249,6 +249,19 @@ csr:
 execMountDir:     /usr/local/bin
 # -- enrollment one time token from the controller's management API
 enrollmentJwt:
+# -- allow for using a secret to specify the enrollment token instead of using the enrollmentJwt field
+# if enabled, setting the enrollment token on the enrollmentJwt field has no effect
+enrollmentJwtFromSecret: false
+# -- set the enrollment jwt from a secret
+# The enrollment token secret must be of the following format:
+# apiVersion: v1
+# kind: Secret
+# metadata:
+#   name: myEnrollmentJwtSecret
+# type: Opaque
+# data:
+#   enrollmentJwt:
+enrollmentJwtSecretName: ""
 # -- read-only mountpoint for router identity secret specified in deployment for use by router run container
 identityMountDir: /etc/ziti/identity
 # -- writeable mountpoint where read-only config file is projected to allow router