diff --git a/charts/supabase/templates/analytics/deployment.yaml b/charts/supabase/templates/analytics/deployment.yaml
index 2b4b80053c6fda6b1c8d70d0c6e878ebfa072fb4..3c4f585c2dc5e6aca3ea8053afeb615d3f54f345 100644
--- a/charts/supabase/templates/analytics/deployment.yaml
+++ b/charts/supabase/templates/analytics/deployment.yaml
@@ -44,10 +44,11 @@ spec:
                 secretKeyRef:
                   {{- if .Values.secret.db.secretRef }}
                   name: {{ .Values.secret.db.secretRef }}
+                  key: {{ .Values.secret.db.secretRefKey.username | default "username" }}
                   {{- else }}
                   name: {{ include "supabase.secret.db" . }}
-                  {{- end }}
                   key: username
+                  {{- end }}
             - name: DB_PORT
               value: {{ .Values.analytics.environment.DB_PORT | quote }}
           command: ["/bin/sh", "-c"]
@@ -78,16 +79,17 @@ spec:
                 secretKeyRef:
                   {{- if .Values.secret.db.secretRef }}
                   name: {{ .Values.secret.db.secretRef }}
+                  key: {{ .Values.secret.db.secretRefKey.password | default "password" }}
                   {{- else }}
                   name: {{ include "supabase.secret.db" . }}
-                  {{- end }}
                   key: password
+                  {{- end }}
             - name: DB_PASSWORD_ENC
               valueFrom:
                 secretKeyRef:
                   {{- if .Values.secret.db.secretRef }}
                   name: {{ .Values.secret.db.secretRef }}
-                  key: password
+                  key: {{ .Values.secret.db.secretRefKey.password | default "password" }}
                   {{- else }}
                   name: {{ include "supabase.secret.db" . }}
                   key: password_encoded
@@ -97,19 +99,21 @@ spec:
                 secretKeyRef:
                   {{- if .Values.secret.db.secretRef }}
                   name: {{ .Values.secret.db.secretRef }}
+                  key: {{ .Values.secret.db.secretRefKey.database | default "database" }}
                   {{- else }}
                   name: {{ include "supabase.secret.db" . }}
-                  {{- end }}
                   key: database
+                  {{- end }}
             - name: LOGFLARE_API_KEY
               valueFrom:
                 secretKeyRef:
                   {{- if .Values.secret.analytics.secretRef }}
                   name: {{ .Values.secret.analytics.secretRef }}
+                  key: {{ .Values.secret.analytics.secretRefKey.apiKey | default "apiKey" }}
                   {{- else }}
                   name: {{ include "supabase.secret.analytics" . }}
-                  {{- end }}
                   key: apiKey
+                  {{- end }}
             {{- if .Values.analytics.bigQuery.enabled }}
             - name: GOOGLE_PROJECT_ID
               value: {{ .Values.analytics.bigQuery.projectId | quote }}
diff --git a/charts/supabase/templates/auth/deployment.yaml b/charts/supabase/templates/auth/deployment.yaml
index 3fa161e50cc2a2e2a68aadead2d0739f430b517d..f3830453f8afd9d2c226bdd2eab9fac78be10df8 100644
--- a/charts/supabase/templates/auth/deployment.yaml
+++ b/charts/supabase/templates/auth/deployment.yaml
@@ -44,10 +44,11 @@ spec:
                 secretKeyRef:
                   {{- if .Values.secret.db.secretRef }}
                   name: {{ .Values.secret.db.secretRef }}
+                  key: {{ .Values.secret.db.secretRefKey.username | default "username" }}
                   {{- else }}
                   name: {{ include "supabase.secret.db" . }}
-                  {{- end }}
                   key: username
+                  {{- end }}
             - name: DB_PORT
               value: {{ .Values.auth.environment.DB_PORT | quote }}
           command: ["/bin/sh", "-c"]
@@ -78,16 +79,17 @@ spec:
                 secretKeyRef:
                   {{- if .Values.secret.db.secretRef }}
                   name: {{ .Values.secret.db.secretRef }}
+                  key: {{ .Values.secret.db.secretRefKey.password | default "password" }}
                   {{- else }}
                   name: {{ include "supabase.secret.db" . }}
-                  {{- end }}
                   key: password
+                  {{- end }}
             - name: DB_PASSWORD_ENC
               valueFrom:
                 secretKeyRef:
                   {{- if .Values.secret.db.secretRef }}
                   name: {{ .Values.secret.db.secretRef }}
-                  key: password
+                  key: {{ .Values.secret.db.secretRefKey.password | default "password" }}
                   {{- else }}
                   name: {{ include "supabase.secret.db" . }}
                   key: password_encoded
@@ -97,10 +99,11 @@ spec:
                 secretKeyRef:
                   {{- if .Values.secret.db.secretRef }}
                   name: {{ .Values.secret.db.secretRef }}
+                  key: {{ .Values.secret.db.secretRefKey.database | default "database" }}
                   {{- else }}
                   name: {{ include "supabase.secret.db" . }}
-                  {{- end }}
                   key: database
+                  {{- end }}
             - name: GOTRUE_DB_DATABASE_URL
               value: $(DB_DRIVER)://$(DB_USER):$(DB_PASSWORD_ENC)@$(DB_HOST):$(DB_PORT)/$(DB_NAME)?search_path=auth&sslmode=$(DB_SSL)
             - name: GOTRUE_DB_DRIVER
@@ -110,28 +113,31 @@ spec:
                 secretKeyRef:
                   {{- if .Values.secret.jwt.secretRef }}
                   name: {{ .Values.secret.jwt.secretRef }}
+                  key: {{ .Values.secret.jwt.secretRefKey.secret | default "secret" }}
                   {{- else }}
                   name: {{ include "supabase.secret.jwt" . }}
-                  {{- end }}
                   key: secret
+                  {{- end }}
             - name: GOTRUE_SMTP_USER
               valueFrom:
                 secretKeyRef:
                   {{- if .Values.secret.smtp.secretRef }}
                   name: {{ .Values.secret.smtp.secretRef }}
+                  key: {{ .Values.secret.smtp.secretRefKey.username | default "username" }}
                   {{- else }}
                   name: {{ include "supabase.secret.smtp" . }}
-                  {{- end }}
                   key: username
+                  {{- end }}
             - name: GOTRUE_SMTP_PASS
               valueFrom:
                 secretKeyRef:
                   {{- if .Values.secret.smtp.secretRef }}
                   name: {{ .Values.secret.smtp.secretRef }}
+                  key: {{ .Values.secret.smtp.secretRefKey.password | default "password" }}
                   {{- else }}
                   name: {{ include "supabase.secret.smtp" . }}
-                  {{- end }}
                   key: password
+                  {{- end }}
           {{- with .Values.auth.livenessProbe }}
           livenessProbe:
             {{- toYaml . | nindent 12 }}
diff --git a/charts/supabase/templates/db/deployment.yaml b/charts/supabase/templates/db/deployment.yaml
index fb4e98815e69cad046fac6d85e5eeaf6122d2b8c..75f3c8effee3964743014fc2568a01c917480c11 100644
--- a/charts/supabase/templates/db/deployment.yaml
+++ b/charts/supabase/templates/db/deployment.yaml
@@ -68,46 +68,51 @@ spec:
                 secretKeyRef:
                   {{- if .Values.secret.db.secretRef }}
                   name: {{ .Values.secret.db.secretRef }}
+                  key: {{ .Values.secret.db.secretRefKey.username | default "username" }}
                   {{- else }}
                   name: {{ include "supabase.secret.db" . }}
-                  {{- end }}
                   key: username
+                  {{- end }}
             - name: PGPASSWORD
               valueFrom:
                 secretKeyRef:
                   {{- if .Values.secret.db.secretRef }}
                   name: {{ .Values.secret.db.secretRef }}
+                  key: {{ .Values.secret.db.secretRefKey.password | default "password" }}
                   {{- else }}
                   name: {{ include "supabase.secret.db" . }}
-                  {{- end }}
                   key: password
+                  {{- end }}
             - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   {{- if .Values.secret.db.secretRef }}
                   name: {{ .Values.secret.db.secretRef }}
+                  key: {{ .Values.secret.db.secretRefKey.password | default "password" }}
                   {{- else }}
                   name: {{ include "supabase.secret.db" . }}
-                  {{- end }}
                   key: password
+                  {{- end }}
             - name: PGDATABASE
               valueFrom:
                 secretKeyRef:
                   {{- if .Values.secret.db.secretRef }}
                   name: {{ .Values.secret.db.secretRef }}
+                  key: {{ .Values.secret.db.secretRefKey.database | default "database" }}
                   {{- else }}
                   name: {{ include "supabase.secret.db" . }}
-                  {{- end }}
                   key: database
+                  {{- end }}
             - name: POSTGRES_DB
               valueFrom:
                 secretKeyRef:
                   {{- if .Values.secret.db.secretRef }}
                   name: {{ .Values.secret.db.secretRef }}
+                  key: {{ .Values.secret.db.secretRefKey.database | default "database" }}
                   {{- else }}
                   name: {{ include "supabase.secret.db" . }}
-                  {{- end }}
                   key: database
+                  {{- end }}
           {{- with .Values.db.livenessProbe }}
           livenessProbe:
             {{- toYaml . | nindent 12 }}
diff --git a/charts/supabase/templates/functions/deployment.yaml b/charts/supabase/templates/functions/deployment.yaml
index a3c5328942d819859af4b91b15ed759d847fc283..22726897ec2c2058ff577d40f834007d99ba5c10 100644
--- a/charts/supabase/templates/functions/deployment.yaml
+++ b/charts/supabase/templates/functions/deployment.yaml
@@ -54,16 +54,17 @@ spec:
                 secretKeyRef:
                   {{- if .Values.secret.db.secretRef }}
                   name: {{ .Values.secret.db.secretRef }}
+                  key: {{ .Values.secret.db.secretRefKey.password | default "password" }}
                   {{- else }}
                   name: {{ include "supabase.secret.db" . }}
-                  {{- end }}
                   key: password
+                  {{- end }}
             - name: DB_PASSWORD_ENC
               valueFrom:
                 secretKeyRef:
                   {{- if .Values.secret.db.secretRef }}
                   name: {{ .Values.secret.db.secretRef }}
-                  key: password
+                  key: {{ .Values.secret.db.secretRefKey.password | default "password" }}
                   {{- else }}
                   name: {{ include "supabase.secret.db" . }}
                   key: password_encoded
@@ -73,37 +74,41 @@ spec:
                 secretKeyRef:
                   {{- if .Values.secret.db.secretRef }}
                   name: {{ .Values.secret.db.secretRef }}
+                  key: {{ .Values.secret.db.secretRefKey.database | default "database" }}
                   {{- else }}
                   name: {{ include "supabase.secret.db" . }}
-                  {{- end }}
                   key: database
+                  {{- end }}
             - name: JWT_SECRET
               valueFrom:
                 secretKeyRef:
                   {{- if .Values.secret.jwt.secretRef }}
                   name: {{ .Values.secret.jwt.secretRef }}
+                  key: {{ .Values.secret.jwt.secretRefKey.secret | default "secret" }}
                   {{- else }}
                   name: {{ include "supabase.secret.jwt" . }}
-                  {{- end }}
                   key: secret
+                  {{- end }}
             - name: SUPABASE_ANON_KEY
               valueFrom:
                 secretKeyRef:
                   {{- if .Values.secret.jwt.secretRef }}
                   name: {{ .Values.secret.jwt.secretRef }}
+                  key: {{ .Values.secret.jwt.secretRefKey.anonKey | default "anonKey" }}
                   {{- else }}
                   name: {{ include "supabase.secret.jwt" . }}
-                  {{- end }}
                   key: anonKey
+                  {{- end }}
             - name: SUPABASE_SERVICE_ROLE_KEY
               valueFrom:
                 secretKeyRef:
                   {{- if .Values.secret.jwt.secretRef }}
                   name: {{ .Values.secret.jwt.secretRef }}
+                  key: {{ .Values.secret.jwt.secretRefKey.serviceKey | default "serviceKey" }}
                   {{- else }}
                   name: {{ include "supabase.secret.jwt" . }}
-                  {{- end }}
                   key: serviceKey
+                  {{- end }}
             - name: POSTGRES_BACKEND_URL
               value: $(DB_DRIVER)://$(DB_USERNAME):$(DB_PASSWORD_ENC)@$(DB_HOSTNAME):$(DB_PORT)/$(DB_DATABASE)?search_path=auth&sslmode=$(DB_SSL)
           {{- with .Values.functions.livenessProbe }}
diff --git a/charts/supabase/templates/kong/deployment.yaml b/charts/supabase/templates/kong/deployment.yaml
index 4ecc1591ccd2edfe12cf02aa6b45f5ad8e9da5fc..fcedfbbd28d25b66aaadf743af62f82d59733a83 100644
--- a/charts/supabase/templates/kong/deployment.yaml
+++ b/charts/supabase/templates/kong/deployment.yaml
@@ -46,38 +46,42 @@ spec:
                 secretKeyRef:
                   {{- if .Values.secret.jwt.secretRef }}
                   name: {{ .Values.secret.jwt.secretRef }}
+                  key: {{ .Values.secret.jwt.secretRefKey.anonKey | default "anonKey" }}
                   {{- else }}
                   name: {{ include "supabase.secret.jwt" . }}
-                  {{- end }}
                   key: anonKey
+                  {{- end }}
             - name: SUPABASE_SERVICE_KEY
               valueFrom:
                 secretKeyRef:
                   {{- if .Values.secret.jwt.secretRef }}
                   name: {{ .Values.secret.jwt.secretRef }}
+                  key: {{ .Values.secret.jwt.secretRefKey.serviceKey | default "serviceKey" }}
                   {{- else }}
                   name: {{ include "supabase.secret.jwt" . }}
-                  {{- end }}
                   key: serviceKey
+                  {{- end }}
             {{- if .Values.secret.dashboard }}
             - name: DASHBOARD_USERNAME
               valueFrom:
                 secretKeyRef:
                   {{- if .Values.secret.dashboard.secretRef }}
                   name: {{ .Values.secret.dashboard.secretRef }}
+                  key: {{ .Values.secret.dashboard.secretRefKey.username | default "username" }}
                   {{- else }}
                   name: {{ include "supabase.secret.dashboard" . }}
-                  {{- end }}
                   key: username
+                  {{- end }}
             - name: DASHBOARD_PASSWORD
               valueFrom:
                 secretKeyRef:
                   {{- if .Values.secret.dashboard.secretRef }}
                   name: {{ .Values.secret.dashboard.secretRef }}
+                  key: {{ .Values.secret.dashboard.secretRefKey.password | default "password" }}
                   {{- else }}
                   name: {{ include "supabase.secret.dashboard" . }}
-                  {{- end }}
                   key: password
+                  {{- end }}
             {{- end }}
           {{- with .Values.kong.livenessProbe }}
           livenessProbe:
diff --git a/charts/supabase/templates/meta/deployment.yaml b/charts/supabase/templates/meta/deployment.yaml
index 80f4ce125e37f81e20c58d2b465b6a04dcdcdc8c..2dac17b52caca572b192ac037d122d161d662e60 100644
--- a/charts/supabase/templates/meta/deployment.yaml
+++ b/charts/supabase/templates/meta/deployment.yaml
@@ -48,19 +48,21 @@ spec:
                 secretKeyRef:
                   {{- if .Values.secret.db.secretRef }}
                   name: {{ .Values.secret.db.secretRef }}
+                  key: {{ .Values.secret.db.secretRefKey.password | default "password" }}
                   {{- else }}
                   name: {{ include "supabase.secret.db" . }}
-                  {{- end }}
                   key: password
+                  {{- end }}
             - name: DB_NAME
               valueFrom:
                 secretKeyRef:
                   {{- if .Values.secret.db.secretRef }}
                   name: {{ .Values.secret.db.secretRef }}
+                  key: {{ .Values.secret.db.secretRefKey.database | default "database" }}
                   {{- else }}
                   name: {{ include "supabase.secret.db" . }}
-                  {{- end }}
                   key: database
+                  {{- end }}
             - name: PG_META_DB_HOST
               value: $(DB_HOST)
             - name: PG_META_DB_PORT
diff --git a/charts/supabase/templates/realtime/deployment.yaml b/charts/supabase/templates/realtime/deployment.yaml
index 06ddb3095f5285ccada024bc7dae64dd862749f4..4083a46f5a241bc283e295eca357ee16798b4bcb 100644
--- a/charts/supabase/templates/realtime/deployment.yaml
+++ b/charts/supabase/templates/realtime/deployment.yaml
@@ -44,10 +44,11 @@ spec:
                 secretKeyRef:
                   {{- if .Values.secret.db.secretRef }}
                   name: {{ .Values.secret.db.secretRef }}
+                  key: {{ .Values.secret.db.secretRefKey.username | default "username" }}
                   {{- else }}
                   name: {{ include "supabase.secret.db" . }}
-                  {{- end }}
                   key: username
+                  {{- end }}
             - name: DB_PORT
               value: {{ .Values.analytics.environment.DB_PORT | quote }}
           command: ["/bin/sh", "-c"]
@@ -80,37 +81,41 @@ spec:
                 secretKeyRef:
                   {{- if .Values.secret.db.secretRef }}
                   name: {{ .Values.secret.db.secretRef }}
+                  key: {{ .Values.secret.db.secretRefKey.password | default "password" }}
                   {{- else }}
                   name: {{ include "supabase.secret.db" . }}
-                  {{- end }}
                   key: password
+                  {{- end }}
             - name: DB_NAME
               valueFrom:
                 secretKeyRef:
                   {{- if .Values.secret.db.secretRef }}
                   name: {{ .Values.secret.db.secretRef }}
+                  key: {{ .Values.secret.db.secretRefKey.database | default "database" }}
                   {{- else }}
                   name: {{ include "supabase.secret.db" . }}
-                  {{- end }}
                   key: database
+                  {{- end }}
             - name: JWT_SECRET
               valueFrom:
                 secretKeyRef:
                   {{- if .Values.secret.jwt.secretRef }}
                   name: {{ .Values.secret.jwt.secretRef }}
+                  key: {{ .Values.secret.jwt.secretRefKey.secret | default "secret" }}
                   {{- else }}
                   name: {{ include "supabase.secret.jwt" . }}
-                  {{- end }}
                   key: secret
+                  {{- end }}
             - name: API_JWT_SECRET
               valueFrom:
                 secretKeyRef:
                   {{- if .Values.secret.jwt.secretRef }}
                   name: {{ .Values.secret.jwt.secretRef }}
+                  key: {{ .Values.secret.jwt.secretRefKey.secret | default "secret" }}
                   {{- else }}
                   name: {{ include "supabase.secret.jwt" . }}
-                  {{- end }}
                   key: secret
+                  {{- end }}
           {{- with .Values.realtime.livenessProbe }}
           livenessProbe:
             {{- toYaml . | nindent 12 }}
diff --git a/charts/supabase/templates/rest/deployment.yaml b/charts/supabase/templates/rest/deployment.yaml
index 538d9d7c13837bda0de9f9e08643eb9768fc1531..8fc7fd6a441be45973e41b19a587fc7eb1c5375e 100644
--- a/charts/supabase/templates/rest/deployment.yaml
+++ b/charts/supabase/templates/rest/deployment.yaml
@@ -48,16 +48,17 @@ spec:
                 secretKeyRef:
                   {{- if .Values.secret.db.secretRef }}
                   name: {{ .Values.secret.db.secretRef }}
+                  key: {{ .Values.secret.db.secretRefKey.password | default "password" }}
                   {{- else }}
                   name: {{ include "supabase.secret.db" . }}
-                  {{- end }}
                   key: password
+                  {{- end }}
             - name: DB_PASSWORD_ENC
               valueFrom:
                 secretKeyRef:
                   {{- if .Values.secret.db.secretRef }}
                   name: {{ .Values.secret.db.secretRef }}
-                  key: password
+                  key: {{ .Values.secret.db.secretRefKey.password | default "password" }}
                   {{- else }}
                   name: {{ include "supabase.secret.db" . }}
                   key: password_encoded
@@ -67,10 +68,11 @@ spec:
                 secretKeyRef:
                   {{- if .Values.secret.db.secretRef }}
                   name: {{ .Values.secret.db.secretRef }}
+                  key: {{ .Values.secret.db.secretRefKey.database | default "database" }}
                   {{- else }}
                   name: {{ include "supabase.secret.db" . }}
-                  {{- end }}
                   key: database
+                  {{- end }}
             - name: PGRST_DB_URI
               value: $(DB_DRIVER)://$(DB_USER):$(DB_PASSWORD_ENC)@$(DB_HOST):$(DB_PORT)/$(DB_NAME)?sslmode=$(DB_SSL)
             - name: PGRST_JWT_SECRET
@@ -78,19 +80,21 @@ spec:
                 secretKeyRef:
                   {{- if .Values.secret.jwt.secretRef }}
                   name: {{ .Values.secret.jwt.secretRef }}
+                  key: {{ .Values.secret.jwt.secretRefKey.secret | default "secret" }}
                   {{- else }}
                   name: {{ include "supabase.secret.jwt" . }}
-                  {{- end }}
                   key: secret
+                  {{- end }}
             - name: JWT_EXPIRY
               valueFrom:
                 secretKeyRef:
                   {{- if .Values.secret.jwt.secretRef }}
                   name: {{ .Values.secret.jwt.secretRef }}
+                  key: {{ .Values.secret.jwt.secretRefKey.expiry | default "expiry" }}
                   {{- else }}
                   name: {{ include "supabase.secret.jwt" . }}
-                  {{- end }}
                   key: expiry
+                  {{- end }}
           {{- with .Values.rest.livenessProbe }}
           livenessProbe:
             {{- toYaml . | nindent 12 }}
diff --git a/charts/supabase/templates/secrets/analytics.yaml b/charts/supabase/templates/secrets/analytics.yaml
index 83e7b42090fe5c693d89dc16facb6c15f7ba01c4..8710542fe0752894256b732126765df24411b6f1 100644
--- a/charts/supabase/templates/secrets/analytics.yaml
+++ b/charts/supabase/templates/secrets/analytics.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.secret.analytics }}
+{{- if not .Values.secret.analytics.secretRef }}
 apiVersion: v1
 kind: Secret
 metadata:
diff --git a/charts/supabase/templates/secrets/dashboard.yaml b/charts/supabase/templates/secrets/dashboard.yaml
index f81ef57b3cbe3f5390a8418b7a6a417f6a553343..d0db4c7c138b5a9b779c8cb2a6ead299a09c7a78 100644
--- a/charts/supabase/templates/secrets/dashboard.yaml
+++ b/charts/supabase/templates/secrets/dashboard.yaml
@@ -1,4 +1,5 @@
 {{- if .Values.secret.dashboard }}
+{{- if not .Values.secret.dashboard.secretRef }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -11,3 +12,4 @@ data:
   {{ $key }}: {{ $value | b64enc }}
 {{- end }}
 {{- end }}
+{{- end }}
diff --git a/charts/supabase/templates/secrets/db.yaml b/charts/supabase/templates/secrets/db.yaml
index 1a6a26e0ec25bc67e07bf9c9165d0361bcaf3823..21f5735e96f6620af793f80b4574d51a705304d9 100644
--- a/charts/supabase/templates/secrets/db.yaml
+++ b/charts/supabase/templates/secrets/db.yaml
@@ -1,3 +1,4 @@
+{{- if not .Values.secret.db }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -10,3 +11,4 @@ data:
   {{ $key }}: {{ $value | b64enc }}
 {{- end }}
   password_encoded: {{ .Values.secret.db.password | urlquery | b64enc }}
+{{- end }}
diff --git a/charts/supabase/templates/secrets/jwt.yaml b/charts/supabase/templates/secrets/jwt.yaml
index 5622d23243bc42a3536a95f236728f215793076a..b8d4296c2e405e15d33681285a26a56c36293488 100644
--- a/charts/supabase/templates/secrets/jwt.yaml
+++ b/charts/supabase/templates/secrets/jwt.yaml
@@ -1,4 +1,5 @@
 {{- if .Values.secret.jwt }}
+{{- if not .Values.secret.jwt.secretRef }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -11,3 +12,4 @@ data:
   {{ $key }}: {{ $value | toString | b64enc }}
 {{- end }}
 {{- end }}
+{{- end }}
diff --git a/charts/supabase/templates/secrets/s3.yaml b/charts/supabase/templates/secrets/s3.yaml
index 1752e65812036aebba7e0ead11a27aaf8979c6a8..510610b05f7137083bc3cdb835684a423ce9f3de 100644
--- a/charts/supabase/templates/secrets/s3.yaml
+++ b/charts/supabase/templates/secrets/s3.yaml
@@ -1,4 +1,5 @@
 {{- if .Values.secret.s3 }}
+{{- if not .Values.secret.s3.secretRef }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -11,3 +12,4 @@ data:
   {{ $key }}: {{ $value | toString | b64enc }}
 {{- end }}
 {{- end }}
+{{- end }}
diff --git a/charts/supabase/templates/secrets/smtp.yaml b/charts/supabase/templates/secrets/smtp.yaml
index 38b70b70878b6180df9ce993fb3876d7a27c5608..4dd4a9319ff0b307ef7a8e3d056a7c71ed71c99e 100644
--- a/charts/supabase/templates/secrets/smtp.yaml
+++ b/charts/supabase/templates/secrets/smtp.yaml
@@ -1,4 +1,5 @@
 {{- if .Values.secret.smtp }}
+{{- if not .Values.secret.smtp.secretRef }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -11,3 +12,4 @@ data:
   {{ $key }}: {{ $value | b64enc }}
 {{- end }}
 {{- end }}
+{{- end }}
diff --git a/charts/supabase/templates/storage/deployment.yaml b/charts/supabase/templates/storage/deployment.yaml
index 613278312ac01bb9ca78addff06ac594838ad49b..4b93977602617f0ada76ed5e107f63bd50e979f5 100644
--- a/charts/supabase/templates/storage/deployment.yaml
+++ b/charts/supabase/templates/storage/deployment.yaml
@@ -45,10 +45,11 @@ spec:
                 secretKeyRef:
                   {{- if .Values.secret.db.secretRef }}
                   name: {{ .Values.secret.db.secretRef }}
+                  key: {{ .Values.secret.db.secretRefKey.username | default "username" }}
                   {{- else }}
                   name: {{ include "supabase.secret.db" . }}
-                  {{- end }}
                   key: username
+                  {{- end }}
             - name: DB_PORT
               value: {{ .Values.analytics.environment.DB_PORT | quote }}
           command: ["/bin/sh", "-c"]
@@ -108,16 +109,17 @@ spec:
                 secretKeyRef:
                   {{- if .Values.secret.db.secretRef }}
                   name: {{ .Values.secret.db.secretRef }}
+                  key: {{ .Values.secret.db.secretRefKey.password | default "password" }}
                   {{- else }}
                   name: {{ include "supabase.secret.db" . }}
-                  {{- end }}
                   key: password
+                  {{- end }}
             - name: DB_PASSWORD_ENC
               valueFrom:
                 secretKeyRef:
                   {{- if .Values.secret.db.secretRef }}
                   name: {{ .Values.secret.db.secretRef }}
-                  key: password
+                  key: {{ .Values.secret.db.secretRefKey.password | default "password" }}
                   {{- else }}
                   name: {{ include "supabase.secret.db" . }}
                   key: password_encoded
@@ -127,10 +129,11 @@ spec:
                 secretKeyRef:
                   {{- if .Values.secret.db.secretRef }}
                   name: {{ .Values.secret.db.secretRef }}
+                  key: {{ .Values.secret.db.secretRefKey.database | default "database" }}
                   {{- else }}
                   name: {{ include "supabase.secret.db" . }}
-                  {{- end }}
                   key: database
+                  {{- end }}
             - name: DATABASE_URL
               value: $(DB_DRIVER)://$(DB_USER):$(DB_PASSWORD_ENC)@$(DB_HOST):$(DB_PORT)/$(DB_NAME)?search_path=auth&sslmode=$(DB_SSL)
             - name: PGRST_JWT_SECRET
@@ -138,28 +141,31 @@ spec:
                 secretKeyRef:
                   {{- if .Values.secret.jwt.secretRef }}
                   name: {{ .Values.secret.jwt.secretRef }}
+                  key: {{ .Values.secret.jwt.secretRefKey.secret | default "secret" }}
                   {{- else }}
                   name: {{ include "supabase.secret.jwt" . }}
-                  {{- end }}
                   key: secret
+                  {{- end }}
             - name: ANON_KEY
               valueFrom:
                 secretKeyRef:
                   {{- if .Values.secret.jwt.secretRef }}
                   name: {{ .Values.secret.jwt.secretRef }}
+                  key: {{ .Values.secret.jwt.secretRefKey.anonKey | default "anonKey" }}
                   {{- else }}
                   name: {{ include "supabase.secret.jwt" . }}
-                  {{- end }}
                   key: anonKey
+                  {{- end }}
             - name: SERVICE_KEY
               valueFrom:
                 secretKeyRef:
                   {{- if .Values.secret.jwt.secretRef }}
                   name: {{ .Values.secret.jwt.secretRef }}
+                  key: {{ .Values.secret.jwt.secretRefKey.serviceKey | default "serviceKey" }}
                   {{- else }}
                   name: {{ include "supabase.secret.jwt" . }}
-                  {{- end }}
                   key: serviceKey
+                  {{- end }}
             {{- if .Values.imgproxy.enabled }}
             - name: IMGPROXY_URL
               value: http://{{ include "supabase.imgproxy.fullname" . }}:{{ .Values.imgproxy.service.port | int }}
diff --git a/charts/supabase/templates/studio/deployment.yaml b/charts/supabase/templates/studio/deployment.yaml
index 90e9e16029a10f4d550a9472f4d9ec671a0b7c3e..dc4d9f8466a1490f9fea3ff5bf885c85777395aa 100644
--- a/charts/supabase/templates/studio/deployment.yaml
+++ b/charts/supabase/templates/studio/deployment.yaml
@@ -52,19 +52,21 @@ spec:
                 secretKeyRef:
                   {{- if .Values.secret.jwt.secretRef }}
                   name: {{ .Values.secret.jwt.secretRef }}
+                  key: {{ .Values.secret.jwt.secretRefKey.anonKey | default "anonKey" }}
                   {{- else }}
                   name: {{ include "supabase.secret.jwt" . }}
-                  {{- end }}
                   key: anonKey
+                  {{- end }}
             - name: SUPABASE_SERVICE_KEY
               valueFrom:
                 secretKeyRef:
                   {{- if .Values.secret.jwt.secretRef }}
                   name: {{ .Values.secret.jwt.secretRef }}
+                  key: {{ .Values.secret.jwt.secretRefKey.serviceKey | default "serviceKey" }}
                   {{- else }}
                   name: {{ include "supabase.secret.jwt" . }}
-                  {{- end }}
                   key: serviceKey
+                  {{- end }}
             {{- if .Values.analytics.enabled }}
             - name: LOGFLARE_URL
               value: http://{{ include "supabase.analytics.fullname" . }}:{{ .Values.analytics.service.port }}
diff --git a/charts/supabase/templates/test/db.yaml b/charts/supabase/templates/test/db.yaml
index 43a7be7d27edc609a515fa9ff76eaef4c42da6c0..296bcc3bb77ce5169c35901dea5e69f02a5a6ae2 100644
--- a/charts/supabase/templates/test/db.yaml
+++ b/charts/supabase/templates/test/db.yaml
@@ -30,10 +30,11 @@ spec:
                 secretKeyRef:
                   {{- if .Values.secret.db.secretRef }}
                   name: {{ .Values.secret.db.secretRef }}
+                  key: {{ .Values.secret.db.secretRefKey.username | default "username" }}
                   {{- else }}
                   name: {{ include "supabase.secret.db" . }}
-                  {{- end }}
                   key: username
+                  {{- end }}
             - name: DB_PORT
               value: {{ .Values.auth.environment.DB_PORT | quote }}
           image: postgres:15-alpine
diff --git a/charts/supabase/templates/vector/deployment.yaml b/charts/supabase/templates/vector/deployment.yaml
index 890efcbcc12db9a42bdfb237e1eedeaa6d20837e..911ff08d5b24ee4db1c8e09d637255af818989f3 100644
--- a/charts/supabase/templates/vector/deployment.yaml
+++ b/charts/supabase/templates/vector/deployment.yaml
@@ -54,10 +54,11 @@ spec:
                 secretKeyRef:
                   {{- if .Values.secret.analytics.secretRef }}
                   name: {{ .Values.secret.analytics.secretRef }}
+                  key: {{ .Values.secret.analytics.secretRefKey.apiKey | default "apiKey" }}
                   {{- else }}
                   name: {{ include "supabase.secret.analytics" . }}
-                  {{- end }}
                   key: apiKey
+                  {{- end }}
           {{- end }}
           {{- with .Values.vector.livenessProbe }}
           livenessProbe:
diff --git a/charts/supabase/values.yaml b/charts/supabase/values.yaml
index 640120d23f2ffbc850e85ca54378c9eba440b2a3..9f8e379240b8c61eb158744e2471a354caf735b9 100644
--- a/charts/supabase/values.yaml
+++ b/charts/supabase/values.yaml
@@ -24,6 +24,12 @@ secret:
     expiry: 3600
     # specify existing secret, which takes precedence over variables above
     secretRef: ""
+    # override secret keys for existing secret refs
+    secretRefKey:
+      anonKey: anonKey
+      serviceKey: serviceKey
+      secret: secret
+      expiry: expiry
   # database credentials
   # these fields must be provided even if using external database
   db:
@@ -32,17 +38,29 @@ secret:
     database: ""
     # specify existing secret, which takes precedence over variables above
     secretRef: ""
+    # override secret keys for existing secret refs
+    secretRefKey:
+      username: username
+      password: password
+      database: database
   # analytics Logflare API key
   analytics:
     apiKey: ""
     # specify existing secret, which takes precedence over variable above
     secretRef: ""
+    # override secret keys for existing secret refs
+    secretRefKey:
+      apiKey: apiKey
   # smtp will be used to reference secret including smtp credentials
   smtp:
     # username: ""
     # password: ""
     # specify existing secret, which takes precedence over variables above
     # secretRef: ""
+    # override secret keys for existing secret refs
+    secretRefKey:
+      username: username
+      password: password
   # secret used to access the studio dashboard
   # leave it empty to disable dashboard authentication
   dashboard:
@@ -50,12 +68,20 @@ secret:
     # password: ""
     # specify existing secret, which takes precedence over variables above
     # secretRef: ""
+    # override secret keys for existing secret refs
+    secretRefKey:
+      username: username
+      password: password
   # S3 credentials for storage object bucket
   s3:
     # keyId: ""
     # accessKey: ""
     # specify existing secret, which takes precedence over variables above
     # secretRef: ""
+    # override secret keys for existing secret refs
+    secretRefKey:
+      keyId: keyId
+      accessKey: accessKey
 
 # Optional: Postgres Database
 # A standalone Postgres database configured to work with Supabase services.