diff --git a/argocd/applicationsets/05-migration.yaml b/argocd/applicationsets/05-migration.yaml
index 1ed1523..2198388 100644
--- a/argocd/applicationsets/05-migration.yaml
+++ b/argocd/applicationsets/05-migration.yaml
@@ -12,18 +12,18 @@ spec:
         repoURL: https://github.com/Countly/helm.git
         revision: main
         files:
-          - path: argocd/customers/*.yaml
+          - path: argocd/customers/migration/*.yaml
   template:
     metadata:
       name: "{{ .customer }}-migration"
       annotations:
-        argocd.argoproj.io/sync-wave: "10"
+        argocd.argoproj.io/sync-wave: "20"
     spec:
       project: "{{ .project }}"
       source:
         repoURL: https://github.com/Countly/helm.git
         targetRevision: main
-        path: '{{ if eq .migration "enabled" }}charts/countly-migration{{ else }}charts/noop{{ end }}'
+        path: charts/countly-migration
         helm:
           releaseName: countly-migration
           valueFiles:
diff --git a/argocd/countly-hosted/applicationsets/05-migration.yaml b/argocd/countly-hosted/applicationsets/05-migration.yaml
index de2f277..176e749 100644
--- a/argocd/countly-hosted/applicationsets/05-migration.yaml
+++ b/argocd/countly-hosted/applicationsets/05-migration.yaml
@@ -12,18 +12,18 @@ spec:
         repoURL: https://github.com/Countly/countly-deployment.git
         revision: main
         files:
-          - path: customers/*.yaml
+          - path: customers/migration/*.yaml
   template:
     metadata:
       name: "{{ .customer }}-migration"
       annotations:
-        argocd.argoproj.io/sync-wave: "10"
+        argocd.argoproj.io/sync-wave: "20"
     spec:
       project: "{{ .project }}"
       sources:
         - repoURL: https://github.com/Countly/helm.git
           targetRevision: main
-          path: '{{ if eq .migration "enabled" }}charts/countly-migration{{ else }}charts/noop{{ end }}'
+          path: charts/countly-migration
           helm:
             releaseName: countly-migration
             valueFiles:
diff --git a/argocd/customers/reference/migration.yaml b/argocd/customers/reference/migration.yaml
new file mode 100644
index 0000000..4024a41
--- /dev/null
+++ b/argocd/customers/reference/migration.yaml
@@ -0,0 +1,11 @@
+# Copy this file to:
+#   argocd/customers/migration/<customer>.yaml
+#
+# Create that file only when the migration app should be enabled for a customer.
+# The values should usually match the base customer metadata in:
+#   argocd/customers/<customer>.yaml
+
+customer: example-customer
+environment: example-customer
+project: countly-customers
+server: https://kubernetes.default.svc
diff --git a/environments/reference/credentials-migration.yaml b/environments/reference/credentials-migration.yaml
index 6fe5890..20e8936 100644
--- a/environments/reference/credentials-migration.yaml
+++ b/environments/reference/credentials-migration.yaml
@@ -1,2 +1,40 @@
-# Migration secrets placeholder.
-# Fill when `migration: enabled` is used for a customer.
+# Reference secrets for the optional countly-migration app.
+#
+# Default pattern: values mode with bundled MongoDB + ClickHouse and bundled
+# Redis. Only the MongoDB app password and ClickHouse default-user password are
+# required in that mode.
+#
+# If you use External Secrets, switch to the commented block below and provide
+# full connection secret refs for MONGO_URI, CLICKHOUSE_URL, CLICKHOUSE_PASSWORD,
+# and REDIS_URL.
+# - mongoUri: usually taken from the MongoDB chart's app connection string secret
+#   or built from the app user, replica set, and service DNS.
+# - clickhouseUrl: usually points to the ClickHouse HTTP endpoint, for example
+#   http://countly-clickhouse-clickhouse-headless.clickhouse.svc.cluster.local:8123
+# - clickhousePassword: reuse the existing customer ClickHouse password secret;
+#   no separate migration password secret is needed.
+# - redisUrl: if migration uses bundled Redis, point this to the in-cluster Redis
+#   service, for example redis://countly-migration-redis-master:6379
+
+secrets:
+  mode: values
+
+backingServices:
+  mongodb:
+    password: ""    # REQUIRED when mode=bundled
+  clickhouse:
+    password: ""    # REQUIRED when mode=bundled
+
+# External Secret example:
+# secrets:
+#   mode: externalSecret
+#   externalSecret:
+#     refreshInterval: "1h"
+#     secretStoreRef:
+#       name: gcp-secrets
+#       kind: ClusterSecretStore
+#     remoteRefs:
+#       mongoUri: "<customer>-mongodb-connection-string"
+#       clickhouseUrl: "<customer>-migration-clickhouse-url"
+#       clickhousePassword: "<customer>-clickhouse-password"
+#       redisUrl: "<customer>-migration-redis-url"
diff --git a/environments/reference/migration.yaml b/environments/reference/migration.yaml
index 6fa760c..6d6fccc 100644
--- a/environments/reference/migration.yaml
+++ b/environments/reference/migration.yaml
@@ -1,3 +1,63 @@
-# Migration overrides for optional countly-migration app.
-# Enable per customer by setting `migration: enabled` in argocd/customers/<customer>.yaml
-# and then filling this file with environment-specific overrides as needed.
+# Reference values for the optional countly-migration app.
+#
+# Keep this file for every customer even when migration is disabled.
+# When a customer later adds argocd/customers/migration/<customer>.yaml, this
+# file already shows the expected non-secret knobs and bundled-vs-external
+# service modes.
+
+image:
+  repository: countly/countly-migration
+  tag: ""
+  pullPolicy: IfNotPresent
+  pullSecrets: []
+
+deployment:
+  replicas: 3
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+
+backingServices:
+  mongodb:
+    mode: bundled
+    releaseName: "countly"
+    namespace: mongodb
+    username: "app"
+    database: admin
+    replicaSet: ""
+    # External mode example:
+    # mode: external
+    # uri: "mongodb://app:password@mongodb.example:27017/admin?replicaSet=rs0&ssl=false"
+  clickhouse:
+    mode: bundled
+    releaseName: "countly"
+    namespace: clickhouse
+    username: "default"
+    tls: "false"
+    # External mode example:
+    # mode: external
+    # url: "http://clickhouse.example:8123"
+  redis:
+    url: ""
+    # External mode example:
+    # url: "redis://redis.example:6379"
+
+config:
+  RERUN_MODE: "resume"
+  LOG_LEVEL: "info"
+
+resources:
+  requests:
+    cpu: "500m"
+    memory: "1Gi"
+  limits:
+    cpu: "2"
+    memory: "3Gi"
+
+worker:
+  enabled: true
+
+redis:
+  enabled: true
diff --git a/scripts/new-argocd-customer.sh b/scripts/new-argocd-customer.sh
index bf1c4ee..c009232 100755
--- a/scripts/new-argocd-customer.sh
+++ b/scripts/new-argocd-customer.sh
@@ -26,7 +26,6 @@ Defaults:
   observability full
   kafkaConnect  balanced
   kafkaConnectSizing auto
-  migration     disabled
   gcpSA         set after scaffold for External Secrets Workload Identity
 EOF
 }
@@ -93,6 +92,7 @@ project="${positionals[3]:-countly-customers}"
 repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 env_dir="${repo_root}/environments/${customer}"
 customer_file="${repo_root}/argocd/customers/${customer}.yaml"
+migration_customer_file="${repo_root}/argocd/customers/migration/${customer}.yaml"
 
 if [[ -e "${env_dir}" ]]; then
   echo "Environment already exists: ${env_dir}" >&2
@@ -105,6 +105,7 @@ if [[ -e "${customer_file}" ]]; then
 fi
 
 mkdir -p "$(dirname "${customer_file}")"
+mkdir -p "$(dirname "${migration_customer_file}")"
 
 cp -R "${repo_root}/environments/reference" "${env_dir}"
 
@@ -170,7 +171,59 @@ cat > "${env_dir}/observability.yaml" <<'EOF'
 EOF
 
 cat > "${env_dir}/migration.yaml" <<'EOF'
-# Customer-specific migration overrides only.
+# Customer-specific migration overrides.
+# Keep this file even when migration is disabled so future enablement only
+# requires filling the matching credentials file and creating the matching
+# migration metadata file.
+
+image:
+  repository: countly/countly-migration
+  tag: ""
+  pullPolicy: IfNotPresent
+  pullSecrets: []
+
+deployment:
+  replicas: 3
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+
+backingServices:
+  mongodb:
+    mode: bundled
+    releaseName: "countly"
+    namespace: mongodb
+    username: "app"
+    database: admin
+    replicaSet: ""
+  clickhouse:
+    mode: bundled
+    releaseName: "countly"
+    namespace: clickhouse
+    username: "default"
+    tls: "false"
+  redis:
+    url: ""
+
+config:
+  RERUN_MODE: "resume"
+  LOG_LEVEL: "info"
+
+resources:
+  requests:
+    cpu: "500m"
+    memory: "1Gi"
+  limits:
+    cpu: "2"
+    memory: "3Gi"
+
+worker:
+  enabled: true
+
+redis:
+  enabled: true
 EOF
 
 if [[ "${secret_mode}" == "gcp-secrets" ]]; then
@@ -216,7 +269,7 @@ secrets:
         webSessionSecret: "${customer}-countly-web-session-secret"
         passwordSecret: "${customer}-countly-password-secret"
       clickhouse:
-        password: "${customer}-countly-clickhouse-password"
+        password: "${customer}-clickhouse-password"
       mongodb:
         password: "${customer}-mongodb-app-password"
 EOF
@@ -271,6 +324,26 @@ users:
   metrics:
     enabled: true
 EOF
+
+  cat > "${env_dir}/credentials-migration.yaml" <<EOF
+# Migration secrets sourced from Google Secret Manager through External Secrets.
+# mongoUri usually reuses the MongoDB app connection string.
+# clickhouseUrl usually points at the ClickHouse HTTP endpoint.
+# clickhousePassword reuses the existing Countly ClickHouse password secret.
+# redisUrl should point at the bundled Redis service or your external Redis URL.
+secrets:
+  mode: externalSecret
+  externalSecret:
+    refreshInterval: "1h"
+    secretStoreRef:
+      name: gcp-secrets
+      kind: ClusterSecretStore
+    remoteRefs:
+      mongoUri: "${customer}-mongodb-connection-string"
+      clickhouseUrl: "${customer}-migration-clickhouse-url"
+      clickhousePassword: "${customer}-clickhouse-password"
+      redisUrl: "${customer}-migration-redis-url"
+EOF
 else
   cat > "${env_dir}/countly.yaml" <<'EOF'
 # Customer-specific Countly overrides only.
@@ -331,6 +404,18 @@ users:
     enabled: true
     password: ""                 # REQUIRED: metrics exporter password
 EOF
+
+  cat > "${env_dir}/credentials-migration.yaml" <<'EOF'
+# Migration secrets — FILL IN when migration is enabled
+secrets:
+  mode: values
+
+backingServices:
+  mongodb:
+    password: ""                 # REQUIRED when migration uses bundled MongoDB
+  clickhouse:
+    password: ""                 # REQUIRED when migration uses bundled ClickHouse
+EOF
 fi
 
 cat > "${customer_file}" <<EOF
@@ -350,7 +435,6 @@ tls: letsencrypt
 observability: full
 kafkaConnect: balanced
 kafkaConnectSizing: auto
-migration: disabled
 nginxIngress:
   service:
     loadBalancerIP: ""              # Optional: reserve a static GCP IP and set it here for the nginx LoadBalancer
@@ -367,6 +451,9 @@ Important:
     * argocd/customers/${customer}.yaml
     * environments/${customer}/global.yaml
     * environments/${customer}/credentials-*.yaml
+  - Migration stays disabled until you create:
+    * argocd/customers/migration/${customer}.yaml
+    * start from argocd/customers/reference/migration.yaml
   - Set server to the actual cluster endpoint Argo knows, not an arbitrary IP.
   - The generated credentials files are already shaped for secret mode: ${secret_mode}
 
@@ -374,6 +461,7 @@ Next:
   1. Fill in or confirm environments/${customer}/credentials-*.yaml
   2. Set argocd/customers/${customer}.yaml cluster metadata
   3. Review environments/${customer}/*.yaml for customer-specific overrides
-  4. If using GCP Secret Manager, create secrets using the ${customer}-<component>-<secret> convention
-  5. Commit and sync countly-bootstrap
+  4. To enable migration later, copy argocd/customers/reference/migration.yaml to argocd/customers/migration/${customer}.yaml and replace it with customer, environment, project, and server from argocd/customers/${customer}.yaml
+  5. If using GCP Secret Manager, create secrets using the ${customer}-<component>-<secret> convention
+  6. Commit and sync countly-bootstrap
 EOF