diff --git a/charts/velero/Chart.yaml b/charts/velero/Chart.yaml
index e7de334e..bf53e5e5 100644
--- a/charts/velero/Chart.yaml
+++ b/charts/velero/Chart.yaml
@@ -3,7 +3,7 @@ appVersion: 1.12.2
 kubeVersion: ">=1.16.0-0"
 description: A Helm chart for velero
 name: velero
-version: 5.1.7
+version: 5.2.0
 home: https://github.com/vmware-tanzu/velero
 icon: https://cdn-images-1.medium.com/max/1600/1*-9mb3AKnKdcL_QD3CMnthQ.png
 sources:
diff --git a/charts/velero/templates/_helpers.tpl b/charts/velero/templates/_helpers.tpl
index beed7f71..00d97db4 100644
--- a/charts/velero/templates/_helpers.tpl
+++ b/charts/velero/templates/_helpers.tpl
@@ -86,3 +86,11 @@ For examples:
 {{- $minorVersion := .Capabilities.KubeVersion.Minor | regexFind "[0-9]+" -}}
 {{- printf "%s.%s" .Capabilities.KubeVersion.Major $minorVersion -}}
 {{- end -}}
+
+
+{{/*
+Calculate the checksum of the credentials secret.
+*/}}
+{{- define "chart.config-checksum" -}}
+{{- tpl (print .Values.credentials.secretContents .Values.credentials.extraEnvVars ) $ | sha256sum -}}
+{{- end -}}
diff --git a/charts/velero/templates/deployment.yaml b/charts/velero/templates/deployment.yaml
index 1afa03c1..155cfbd2 100644
--- a/charts/velero/templates/deployment.yaml
+++ b/charts/velero/templates/deployment.yaml
@@ -40,7 +40,7 @@ spec:
         {{- if .Values.podLabels }}
           {{- toYaml .Values.podLabels | nindent 8 }}
         {{- end }}
-    {{- if or .Values.podAnnotations .Values.metrics.enabled }}
+    {{- if or .Values.podAnnotations .Values.metrics.enabled (and .Values.credentials.useSecret (not .Values.credentials.existingSecret)) }}
       annotations:
       {{- with .Values.podAnnotations }}
         {{- toYaml . | nindent 8 }}
@@ -50,6 +50,9 @@ spec:
           {{- toYaml . | nindent 8 }}
         {{- end }}
       {{- end }}
+      {{- if and .Values.credentials.useSecret (not .Values.credentials.existingSecret) }}
+        checksum/secret: {{ template "chart.config-checksum" . }}
+      {{- end }}
     {{- end }}
     spec:
     {{- if .Values.image.imagePullSecrets }}
@@ -218,7 +221,7 @@ spec:
           {{- with .Values.configuration.extraEnvVars }}
           {{- range $key, $value := . }}
             - name: {{ default "none" $key }}
-              value: {{ default "none" $value | quote }}
+              value: {{ tpl (default "none" $value) $ | quote }}
           {{- end }}
           {{- end }}
           {{- with .Values.credentials.extraEnvVars }}
diff --git a/charts/velero/templates/node-agent-daemonset.yaml b/charts/velero/templates/node-agent-daemonset.yaml
index f503b524..f5104e3d 100644
--- a/charts/velero/templates/node-agent-daemonset.yaml
+++ b/charts/velero/templates/node-agent-daemonset.yaml
@@ -33,7 +33,7 @@ spec:
       {{- if .Values.podLabels }}
         {{- toYaml .Values.podLabels | nindent 8 }}
       {{- end }}
-    {{- if or .Values.podAnnotations .Values.metrics.enabled }}
+    {{- if or .Values.podAnnotations .Values.metrics.enabled (and .Values.credentials.useSecret (not .Values.credentials.existingSecret)) }}
       annotations:
       {{- with .Values.podAnnotations }}
         {{- toYaml . | nindent 8 }}
@@ -43,6 +43,9 @@ spec:
           {{- toYaml . | nindent 8 }}
         {{- end }}
       {{- end }}
+      {{- if and .Values.credentials.useSecret (not .Values.credentials.existingSecret) }}
+        checksum/secret: {{ template "chart.config-checksum" . }}
+      {{- end }}
     {{- end }}
     spec:
     {{- if .Values.image.imagePullSecrets }}
@@ -150,7 +153,7 @@ spec:
           {{- with .Values.configuration.extraEnvVars }}
           {{- range $key, $value := . }}
             - name: {{ default "none" $key }}
-              value: {{ default "none" $value | quote }}
+              value: {{ tpl (default "none" $value) $ | quote }}
           {{- end }}
           {{- end }}
           {{- with .Values.credentials.extraEnvVars }}
@@ -191,7 +194,7 @@ spec:
       {{- with .Values.nodeAgent.affinity }}
       affinity:
         {{- toYaml . | nindent 8 }}
-      {{- end }}      
+      {{- end }}
     {{- with .Values.nodeAgent.dnsConfig }}
     dnsConfig:
       {{- toYaml . | nindent 8 }}
diff --git a/charts/velero/templates/secret.yaml b/charts/velero/templates/secret.yaml
index 4dbaf884..0cd9d57b 100644
--- a/charts/velero/templates/secret.yaml
+++ b/charts/velero/templates/secret.yaml
@@ -16,9 +16,9 @@ metadata:
 type: Opaque
 data:
 {{- range $key, $value := .Values.credentials.secretContents }}
-  {{ $key }}: {{ $value | b64enc | quote }}
+  {{ $key }}: {{ tpl $value $ | b64enc | quote }}
 {{- end }}
 {{- range $key, $value := .Values.credentials.extraEnvVars }}
-  {{ $key }}: {{ $value | b64enc | quote }}
+  {{ $key }}: {{ tpl $value $ | b64enc | quote }}
 {{- end }}
 {{- end -}}
diff --git a/charts/velero/values.yaml b/charts/velero/values.yaml
index 2337daa9..0b9becee 100644
--- a/charts/velero/values.yaml
+++ b/charts/velero/values.yaml
@@ -479,7 +479,7 @@ serviceAccount:
 credentials:
   # Whether a secret should be used. Set to false if, for examples:
   # - using kube2iam or kiam to provide AWS IAM credentials instead of providing the key file. (AWS only)
-  # - using workload identity instead of providing the key file. (GCP only)
+  # - using workload identity instead of providing the key file. (Azure/GCP only)
   useSecret: true
   # Name of the secret to create if `useSecret` is true and `existingSecret` is empty
   name: