1. Secret handling (JWT_SECRET and ENCRYPTION_KEY):
   - By default, the chart creates a Kubernetes Secret from the values in `secretEnv.JWT_SECRET` and `secretEnv.ENCRYPTION_KEY`.
   - To generate random values for both at install (preserved across upgrades), set `generateJwtSecret: true`.
   - To use an existing Kubernetes secret, set `existingSecret` to the secret name. The secret must contain a key matching `existingSecretKey` (defaults to `JWT_SECRET`) and optionally an `ENCRYPTION_KEY` key. If `ENCRYPTION_KEY` is absent from the external secret, the server auto-generates and persists it to the data volume.

2. ENCRYPTION_KEY notes:
   - Encrypts stored API keys, MFA secrets, SMTP password, and OIDC client secret at rest.
   - If left empty, auto-generated by the server and saved to the data PVC — safe as long as the PVC persists.
   - Upgrading from a version that used JWT_SECRET for encryption: set `secretEnv.ENCRYPTION_KEY` to your old JWT_SECRET value to keep existing encrypted data readable, then re-save credentials via the admin panel.

3. Example usage:
   - Set explicit secrets: `--set secretEnv.JWT_SECRET=your_secret --set secretEnv.ENCRYPTION_KEY=your_enc_key`
   - Generate random secrets: `--set generateJwtSecret=true`
   - Use an existing secret: `--set existingSecret=my-k8s-secret`
   - Use a custom key for JWT in existing secret: `--set existingSecret=my-k8s-secret --set existingSecretKey=MY_JWT_KEY`

4. Only one method should be used at a time. If both `generateJwtSecret` and `existingSecret` are set, `existingSecret` takes precedence.
   If using `existingSecret`, ensure the referenced secret and keys exist in the target namespace.