diff --git a/docs/SECRET-MANAGEMENT.md b/docs/SECRET-MANAGEMENT.md
index 879fd27..2a9e778 100644
--- a/docs/SECRET-MANAGEMENT.md
+++ b/docs/SECRET-MANAGEMENT.md
@@ -102,6 +102,9 @@ The ClickHouse password must be identical across three charts:
 - `clickhouse.yaml` -> `auth.defaultUserPassword.password`
 - `kafka.yaml` -> `kafkaConnect.clickhouse.password`
 
+For External Secrets / Secret Manager, use one shared secret name for all three
+references by default, for example `acme-clickhouse-password`.
+
 The MongoDB password must match across two charts:
 - `countly.yaml` -> `secrets.mongodb.password`
 - `mongodb.yaml` -> `users.app.password`
diff --git a/environments/reference/README.md b/environments/reference/README.md
index 12b374b..9392974 100644
--- a/environments/reference/README.md
+++ b/environments/reference/README.md
@@ -24,6 +24,11 @@ This directory is a complete starting point for a new Countly deployment.
    - `clickhouse.yaml` → `auth.defaultUserPassword.password`
    - `kafka.yaml` → `kafkaConnect.clickhouse.password`
 
+   Use one shared ClickHouse password value for:
+   - Countly
+   - ClickHouse default user
+   - Kafka Connect
+
    Or use `secrets.example.yaml` as a complete reference.
 
 4. Register your environment in `helmfile.yaml.gotmpl`: