diff --git a/helm/knowledge-tree/templates/_helpers.tpl b/helm/knowledge-tree/templates/_helpers.tpl
index 7085c323..0a2846b8 100644
--- a/helm/knowledge-tree/templates/_helpers.tpl
+++ b/helm/knowledge-tree/templates/_helpers.tpl
@@ -140,13 +140,13 @@ Outputs a list of env var definitions.
 - name: GRAPH_DB_PASSWORD
   valueFrom:
     secretKeyRef:
-      name: {{ include "knowledge-tree.secretName" . }}
-      key: graph-db-password
+      name: {{ default (printf "%s-credentials" (include "knowledge-tree.graphDbName" .)) .Values.graphDb.credentialsSecret }}
+      key: password
 - name: WRITE_DB_PASSWORD
   valueFrom:
     secretKeyRef:
-      name: {{ include "knowledge-tree.secretName" . }}
-      key: write-db-password
+      name: {{ default (printf "%s-credentials" (include "knowledge-tree.writeDbName" .)) .Values.writeDb.credentialsSecret }}
+      key: password
 - name: HATCHET_CLIENT_TOKEN
   valueFrom:
     secretKeyRef:
diff --git a/helm/knowledge-tree/templates/hatchet-deployment.yaml b/helm/knowledge-tree/templates/hatchet-deployment.yaml
index 687f21f8..64eaccf8 100644
--- a/helm/knowledge-tree/templates/hatchet-deployment.yaml
+++ b/helm/knowledge-tree/templates/hatchet-deployment.yaml
@@ -32,8 +32,8 @@ spec:
             - name: HATCHET_DB_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: {{ include "knowledge-tree.secretName" . }}
-                  key: hatchet-db-password
+                  name: {{ default (printf "%s-credentials" (include "knowledge-tree.hatchetDbName" .)) .Values.hatchetDb.credentialsSecret }}
+                  key: password
             - name: DATABASE_URL
               value: "postgresql://hatchet:$(HATCHET_DB_PASSWORD)@{{ include "knowledge-tree.hatchetDbHost" . }}:5432/hatchet?sslmode=disable"
             - name: SERVER_AUTH_COOKIE_DOMAIN
diff --git a/helm/knowledge-tree/templates/secret.yaml b/helm/knowledge-tree/templates/secret.yaml
index 4742124c..ee565754 100644
--- a/helm/knowledge-tree/templates/secret.yaml
+++ b/helm/knowledge-tree/templates/secret.yaml
@@ -7,9 +7,6 @@ metadata:
     {{- include "knowledge-tree.labels" . | nindent 4 }}
 type: Opaque
 stringData:
-  graph-db-password: {{ .Values.secrets.graphDbPassword | quote }}
-  write-db-password: {{ .Values.secrets.writeDbPassword | quote }}
-  hatchet-db-password: {{ .Values.secrets.hatchetDbPassword | quote }}
   openrouter-api-key: {{ .Values.secrets.openrouterApiKey | quote }}
   openai-api-key: {{ .Values.secrets.openaiApiKey | quote }}
   brave-key: {{ .Values.secrets.braveKey | quote }}
diff --git a/helm/knowledge-tree/values.yaml b/helm/knowledge-tree/values.yaml
index a15b8d62..4928a578 100644
--- a/helm/knowledge-tree/values.yaml
+++ b/helm/knowledge-tree/values.yaml
@@ -34,6 +34,7 @@ secrets:
 # CloudNativePG Databases
 # =============================================================================
 graphDb:
+  credentialsSecret: ""  # if empty, uses CNPG-generated secret
   instances: 1
   image: ghcr.io/cloudnative-pg/postgresql:16.8
   storage:
@@ -51,6 +52,7 @@ graphDb:
       memory: 2Gi
 
 writeDb:
+  credentialsSecret: ""  # if empty, uses CNPG-generated secret
   instances: 1
   image: ghcr.io/cloudnative-pg/postgresql:16
   storage:
@@ -66,6 +68,7 @@ writeDb:
       memory: 2Gi
 
 hatchetDb:
+  credentialsSecret: ""  # if empty, uses CNPG-generated secret
   instances: 1
   image: ghcr.io/cloudnative-pg/postgresql:16
   storage: