diff --git a/chart/templates/_helpers.tpl b/chart/templates/_helpers.tpl
index 5e0d1b46..e5fa6e0c 100644
--- a/chart/templates/_helpers.tpl
+++ b/chart/templates/_helpers.tpl
@@ -19,6 +19,19 @@ Expand the name of the chart.
 {{- end }}
 {{- end }}
 
+{{/*
+Get the admin password value or a randomly generated password.
+Note adminPassword is deprecated, and will be removed in a future version.
+*/}}
+{{- define "mission-control.admin.password" -}}
+  {{- if .Values.admin.password -}}
+    {{ .Values.admin.password -}}
+  {{- else if .Values.adminPassword -}}
+    {{ .Values.adminPassword -}}
+  {{- else -}}
+    {{ randAlphaNum 10 }}
+  {{- end -}}
+{{- end -}}
 
 {{/*
 Create chart name and version as used by the chart label.
diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml
index 0263d65c..a73c2970 100644
--- a/chart/templates/deployment.yaml
+++ b/chart/templates/deployment.yaml
@@ -44,8 +44,16 @@ spec:
                 secretKeyRef:
                   name: {{ .Values.db.jwtSecretKeyRef.name  }}
                   key: {{ .Values.db.jwtSecretKeyRef.key }}
+            {{- if ne .Values.admin.existingSecret "" }}
             - name: ADMIN_PASSWORD
-              value: {{ .Values.adminPassword }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.admin.existingSecret }}
+                  key: admin-password
+            {{- else }}
+            - name: ADMIN_PASSWORD
+              value: {{ include "mission-control.admin.password" . }}
+            {{- end }}
           envFrom:
             - secretRef:
                 name: {{ .Values.smtp.secretRef.name }}
diff --git a/chart/values.yaml b/chart/values.yaml
index fedeb33b..9d7843ff 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -106,7 +106,18 @@ smtp:
     # SMTP_PORT: <port>
     # SMTP_USER: <user>
     # SMTP_PASSWORD: <password>
-adminPassword: admin
+# DEPRECATED - adminPassword is deprecated, and will be removed in a future version.
+# adminPassword: ""
+admin:
+  # If you leave this empty, and do not override with admin.existingSecret, a
+  # random password will be generated for you.
+  password: ""
+  # Specifying an existing secret name will override the admin.password.
+  # The secret key must be "admin-password"
+  # For example, to create from a file:
+  #   echo -n 'S!B\*d$zDsb=' > ./admin-password.txt
+  #   kubectl create secret generic admin-password-secret --from-file=admin-password.txt
+  existingSecret: ""
 canary-checker:
   image:
     type: full