diff --git a/charts/terrakube/Chart.yaml b/charts/terrakube/Chart.yaml
index 91fd38c..d56eda5 100644
--- a/charts/terrakube/Chart.yaml
+++ b/charts/terrakube/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 3.18.0
+version: 3.19.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/charts/terrakube/templates/deployment-api.yaml b/charts/terrakube/templates/deployment-api.yaml
index 697eb3c..80d8e27 100644
--- a/charts/terrakube/templates/deployment-api.yaml
+++ b/charts/terrakube/templates/deployment-api.yaml
@@ -43,7 +43,7 @@ spec:
         envFrom:
         {{- range .Values.api.secrets }}
             - secretRef:
-                name: {{ .name }}
+                name: {{ . | quote }}
         {{- end }}
         startupProbe:
           httpGet:
diff --git a/charts/terrakube/templates/deployment-executor.yaml b/charts/terrakube/templates/deployment-executor.yaml
index c9105b3..987c9b4 100644
--- a/charts/terrakube/templates/deployment-executor.yaml
+++ b/charts/terrakube/templates/deployment-executor.yaml
@@ -43,7 +43,7 @@ spec:
         envFrom:
         {{- range .Values.executor.secrets }}
             - secretRef:
-                name: {{ .name }}
+                name: {{ . | quote }}
         {{- end }}
         startupProbe:
           httpGet:
diff --git a/charts/terrakube/templates/deployment-registry.yaml b/charts/terrakube/templates/deployment-registry.yaml
index 732dd4a..ce90682 100644
--- a/charts/terrakube/templates/deployment-registry.yaml
+++ b/charts/terrakube/templates/deployment-registry.yaml
@@ -43,7 +43,7 @@ spec:
         envFrom:
         {{- range .Values.registry.secrets }}
             - secretRef:
-                name: {{ .name }}
+                name: {{ . | quote }}
         {{- end }}
         startupProbe:
           httpGet:
diff --git a/charts/terrakube/templates/rbac-api.yaml b/charts/terrakube/templates/rbac-api.yaml
new file mode 100644
index 0000000..b7f373a
--- /dev/null
+++ b/charts/terrakube/templates/rbac-api.yaml
@@ -0,0 +1,27 @@
+{{- if .Values.api.rbac.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.api.serviceAccountName }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Values.api.rbac.roleName }}
+rules:
+- apiGroups: ["batch"]
+  resources: ["jobs"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Values.api.rbac.roleBindingName }}
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.api.serviceAccountName }}
+roleRef:
+  kind: Role
+  name: {{ .Values.api.rbac.roleName }}
+  apiGroup: rbac.authorization.k8s.io
+{{ end }}
\ No newline at end of file
diff --git a/charts/terrakube/values.yaml b/charts/terrakube/values.yaml
index 705504b..35a5ad9 100644
--- a/charts/terrakube/values.yaml
+++ b/charts/terrakube/values.yaml
@@ -177,6 +177,10 @@ api:
   replicaCount: "1"
   serviceType: "ClusterIP"
   serviceAccountName: ""
+  rbac:
+    create: false
+    roleName: "terrakube-api-role"
+    roleBindingName: "terrakube-api-role-binding"
   secrets:
    - terrakube-api-secrets
   resources: {}