diff --git a/docs/SECRET-MANAGEMENT.md b/docs/SECRET-MANAGEMENT.md
index aaae835..72cca14 100644
--- a/docs/SECRET-MANAGEMENT.md
+++ b/docs/SECRET-MANAGEMENT.md
@@ -108,6 +108,9 @@ The ClickHouse password must be identical across three charts:
 - `clickhouse.yaml` -> `auth.defaultUserPassword.password`
 - `kafka.yaml` -> `kafkaConnect.clickhouse.password`
 
+For External Secrets / Secret Manager, use one shared secret name for all three
+references by default, for example `acme-clickhouse-password`.
+
 The MongoDB password must match across two charts:
 - `countly.yaml` -> `secrets.mongodb.password`
 - `mongodb.yaml` -> `users.app.password`
diff --git a/environments/reference/README.md b/environments/reference/README.md
index 00bc0aa..a039d69 100644
--- a/environments/reference/README.md
+++ b/environments/reference/README.md
@@ -28,6 +28,11 @@ This directory is a complete starting point for a new Countly deployment.
   - `credentials-kafka.yaml` → `kafkaConnect.clickhouse.password`
   - `image-pull-secrets.example.yaml` → private registry pull secret manifests for `countly` and `kafka`
 
+   Use one shared ClickHouse password value for:
+   - Countly
+   - ClickHouse default user
+   - Kafka Connect
+
    Or use `secrets.example.yaml` as a complete reference.
 
 4. Register your environment in `helmfile.yaml.gotmpl`: