diff --git a/templates/backend-deployment.yaml b/templates/backend-deployment.yaml
index 1b49b18..4ad14a8 100644
--- a/templates/backend-deployment.yaml
+++ b/templates/backend-deployment.yaml
@@ -56,6 +56,22 @@ spec:
                 secretKeyRef:
                   name: {{ .Values.config.existingSecret }}
                   key: ARGOCD_PASSWORD
+            # Cloudflare creds for per-tenant DNS automation. Optional —
+            # if absent, deploys to the in-cluster destination still
+            # work (wildcard A handles them); deploys to non-default
+            # servers fail fast with a clear error.
+            - name: TOWER_CLOUDFLARE_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.existingSecret }}
+                  key: CLOUDFLARE_TOKEN
+                  optional: true
+            - name: TOWER_CLOUDFLARE_ZONE_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.existingSecret }}
+                  key: CLOUDFLARE_ZONE_ID
+                  optional: true
           readinessProbe:
             httpGet:
               path: /healthz
diff --git a/values.yaml b/values.yaml
index fccbbca..481ca69 100644
--- a/values.yaml
+++ b/values.yaml
@@ -4,7 +4,7 @@ backend:
   enabled: true
   image:
     repository: docker.io/odoosky/tower
-    tag: "0.3.0"
+    tag: "0.4.0"
     pullPolicy: IfNotPresent  # IfNotPresent because the image is in
                               # containerd's k8s.io namespace already
                               # (lab1 single-server). Replace with