diff --git a/.changeset/moody-lemons-open.md b/.changeset/moody-lemons-open.md
new file mode 100644
index 0000000..e6e6355
--- /dev/null
+++ b/.changeset/moody-lemons-open.md
@@ -0,0 +1,5 @@
+---
+"helm-charts": patch
+---
+
+Reference credentials in secret
diff --git a/charts/clickstack/templates/hyperdx-deployment.yaml b/charts/clickstack/templates/hyperdx-deployment.yaml
index caafd3d..8e2e365 100644
--- a/charts/clickstack/templates/hyperdx-deployment.yaml
+++ b/charts/clickstack/templates/hyperdx-deployment.yaml
@@ -114,7 +114,10 @@ spec:
             {{- else }}
             {{- if .Values.hyperdx.defaultConnections }}
             - name: DEFAULT_CONNECTIONS
-              value: {{ tpl .Values.hyperdx.defaultConnections . | quote }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "clickstack.fullname" . }}-app-secrets
+                  key: defaultConnections
             {{- end }}
             {{- if .Values.hyperdx.defaultSources }}
             - name: DEFAULT_SOURCES
diff --git a/charts/clickstack/templates/otel-collector-deployment.yaml b/charts/clickstack/templates/otel-collector-deployment.yaml
index 95b066f..c4fcf0c 100644
--- a/charts/clickstack/templates/otel-collector-deployment.yaml
+++ b/charts/clickstack/templates/otel-collector-deployment.yaml
@@ -99,7 +99,10 @@ spec:
             - name: CLICKHOUSE_USER
               value: {{ .Values.otel.clickhouseUser | default .Values.clickhouse.config.users.otelUserName }}
             - name: CLICKHOUSE_PASSWORD
-              value: {{ .Values.otel.clickhousePassword | default .Values.clickhouse.config.users.otelUserPassword }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "clickstack.fullname" . }}-clickhouse-secrets
+                  key: otelUserPassword
             {{- if .Values.otel.customConfig }}
             - name: CUSTOM_OTELCOL_CONFIG_FILE
               value: /etc/otelcol-contrib/custom.config.yaml
diff --git a/charts/clickstack/templates/secrets.yaml b/charts/clickstack/templates/secrets.yaml
index 6550b59..494dbe6 100644
--- a/charts/clickstack/templates/secrets.yaml
+++ b/charts/clickstack/templates/secrets.yaml
@@ -7,6 +7,7 @@ metadata:
 type: Opaque
 data:
   api-key: {{ .Values.hyperdx.apiKey | b64enc }}
+  defaultConnections: {{ .Values.hyperdx.defaultConnections | toString | b64enc }}
 {{- if .Values.clickhouse.enabled }}
 ---
 apiVersion: v1
@@ -19,4 +20,4 @@ type: Opaque
 data:
   appUserPassword: {{ .Values.clickhouse.config.users.appUserPassword | toString | b64enc }}
   otelUserPassword: {{ .Values.clickhouse.config.users.otelUserPassword | toString | b64enc }}
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/charts/clickstack/tests/external-connections-secret_test.yaml b/charts/clickstack/tests/external-connections-secret_test.yaml
index ffc4af6..a833faf 100644
--- a/charts/clickstack/tests/external-connections-secret_test.yaml
+++ b/charts/clickstack/tests/external-connections-secret_test.yaml
@@ -152,16 +152,10 @@ tests:
           path: spec.template.spec.containers[0].env
           content:
             name: DEFAULT_CONNECTIONS
-            value: |
-              [
-                {
-                  "name": "Local ClickHouse",
-                  "host": "http://RELEASE-NAME-clickstack-clickhouse:8123",
-                  "port": 8123,
-                  "username": "app",
-                  "password": "hyperdx"
-                }
-              ]
+            valueFrom:
+              secretKeyRef:
+                key: defaultConnections
+                name: RELEASE-NAME-clickstack-app-secrets
       - exists:
           path: spec.template.spec.containers[0].env[?(@.name == "DEFAULT_SOURCES")]
 
@@ -252,4 +246,4 @@ tests:
               secretKeyRef:
                 name: ""
                 key: "sources.json"
-                optional: false
\ No newline at end of file
+                optional: false
diff --git a/charts/clickstack/tests/otel-collector_test.yaml b/charts/clickstack/tests/otel-collector_test.yaml
index 41f831c..8e358f9 100644
--- a/charts/clickstack/tests/otel-collector_test.yaml
+++ b/charts/clickstack/tests/otel-collector_test.yaml
@@ -103,7 +103,10 @@ tests:
           path: spec.template.spec.containers[0].env
           content:
             name: CLICKHOUSE_PASSWORD
-            value: test-password
+            valueFrom:
+              secretKeyRef:
+                name: test-release-clickstack-clickhouse-secrets
+                key: otelUserPassword
       - documentSelector: *deployment-selector
         contains:
           path: spec.template.spec.containers[0].env
@@ -439,7 +442,10 @@ tests:
           path: spec.template.spec.containers[0].env
           content:
             name: CLICKHOUSE_PASSWORD
-            value: "custom-password"
+            valueFrom:
+              secretKeyRef:
+                name: test-release-clickstack-clickhouse-secrets
+                key: otelUserPassword
 
   - it: should render custom environment variables when specified
     set: