[stable/grafana] No safe way to provide secrets

[andybug]

Is this a request for help?:
No

Is this a BUG REPORT or FEATURE REQUEST? (choose one):
BUG REPORT

Version of Helm and Kubernetes:
Helm v2.8.2
Kubernetes v1.9.3

Which chart:
stable/grafana

What happened:
Regression: unable to set environment variable from secret. See #3739. More generally, there is no safe way to provide grafana with secrets using this chart.

What you expected to happen:
I expect there to be a way to provide secrets (password, github oauth secrets) via the environment or config file without them being stored in a configmap.

How to reproduce it (as minimally and precisely as possible):
Attempt to use a secretKeyRef by setting .Values.env

Anything else we need to know:

[andybug]

The best solution I've seen so far looking through the other stable charts is this: https://github.com/kubernetes/charts/blob/master/stable/chartmuseum/templates/deployment.yaml#L39

{{- range $name, $value := .Values.env.open }}
{{- if not (empty $value) }}
    - name: {{ $name | quote }}
      value: {{ $value | quote }}
{{- end }}
{{- end }}
{{- $secret_name := include "chartmuseum.fullname" . }}
{{- range $name, $value := .Values.env.secret }}
{{- if not ( empty $value) }}
    - name: {{ $name | quote }}
      valueFrom:
        secretKeyRef:
          name: {{ $secret_name }}
          key: {{ $name | quote }}
{{- end }}

Unfortunately there doesn't seem to be much consistency across the charts for doing this sort of thing right now.