diff --git a/helm/mysql-innodbcluster/templates/cluster_secret.yaml b/helm/mysql-innodbcluster/templates/cluster_secret.yaml
index ab6c97b0..f9ed3145 100644
--- a/helm/mysql-innodbcluster/templates/cluster_secret.yaml
+++ b/helm/mysql-innodbcluster/templates/cluster_secret.yaml
@@ -1,10 +1,13 @@
-{{- $cluster_name :=  default "mycluster" .Release.Name }}
+{{- $cluster_name := default "mycluster" .Release.Name }}
+{{- if not .Values.credentials.root.existingSecret }}
 apiVersion: v1
 kind: Secret
 metadata:
   name: {{ $cluster_name }}-cluster-secret
   namespace: {{ .Release.Namespace }}
+type: Opaque
 stringData:
   rootUser: {{ .Values.credentials.root.user | default "root" | quote }}
   rootHost: {{ .Values.credentials.root.host | default "%%" | quote }}
-  rootPassword: {{ required "credentials.root.password is required" .Values.credentials.root.password | quote }}
+  rootPassword: {{ required "credentials.root.password is required when credentials.root.existingSecret is not set" .Values.credentials.root.password | quote }}
+{{- end }}
diff --git a/helm/mysql-innodbcluster/templates/deployment_cluster.yaml b/helm/mysql-innodbcluster/templates/deployment_cluster.yaml
index 86a54834..70dc7a9a 100644
--- a/helm/mysql-innodbcluster/templates/deployment_cluster.yaml
+++ b/helm/mysql-innodbcluster/templates/deployment_cluster.yaml
@@ -69,7 +69,7 @@ spec:
   {{- end }}
     tlsSecretName: {{ $secret_name }}
 {{- end }}
-  secretName: {{ .Release.Name }}-cluster-secret
+  secretName: {{ .Values.credentials.root.existingSecret | default (printf "%s-cluster-secret" .Release.Name) }}
   imagePullPolicy : {{ .Values.image.pullPolicy }}
   baseServerId: {{ required "baseServerId is required" .Values.baseServerId | toString | atoi }}
   version: {{ .Values.serverVersion | default .Chart.AppVersion }}
diff --git a/helm/mysql-innodbcluster/values.yaml b/helm/mysql-innodbcluster/values.yaml
index 8548ea0a..13d64435 100644
--- a/helm/mysql-innodbcluster/values.yaml
+++ b/helm/mysql-innodbcluster/values.yaml
@@ -9,10 +9,34 @@ image:
 
 credentials:
   root:
+    # Option 1: Provide credentials directly (chart will create a secret)
+    # Only used when existingSecret is not set
     user: root
-#    password: sakila
+    password: sakila
     host: "%"
 
+
+    # Option 2: Reference an existing Kubernetes secret (recommended for production/GitOps)
+    # When set, user/host/password above are ignored and the chart will not create a secret.
+    #
+    # The referenced secret must contain these keys:
+    #   - rootUser: MySQL root username (e.g., "root")
+    #   - rootHost: MySQL root host pattern (e.g., "%%")
+    #   - rootPassword: MySQL root password
+    #
+    # Example secret:
+    #   apiVersion: v1
+    #   kind: Secret
+    #   metadata:
+    #     name: mysql-root-credentials
+    #   type: Opaque
+    #   stringData:
+    #     rootUser: root
+    #     rootHost: "%%"
+    #     rootPassword: "my-secure-password"
+
+    # existingSecret: ""
+
 tls:
   useSelfSigned: false
 #  caSecretName: