diff --git a/deployment/helm/ditto/templates/nginx-auth.yaml b/deployment/helm/ditto/templates/nginx-auth.yaml
index 582cf89e8c5..b4165500d14 100644
--- a/deployment/helm/ditto/templates/nginx-auth.yaml
+++ b/deployment/helm/ditto/templates/nginx-auth.yaml
@@ -24,13 +24,24 @@ type: Opaque
 stringData:
   nginx.htpasswd: |-
 {{- if .Values.global.hashedBasicAuthUsers }}
-{{ range .Values.global.hashedBasicAuthUsers }}
-{{- . | indent 4 }}
-{{ end }}
+  {{ range .Values.global.hashedBasicAuthUsers }}
+    {{- . | indent 4 }}
+  {{ end }}
 {{- else }}
-{{ range $key, $value := .Values.global.basicAuthUsers }}
-{{- (htpasswd $value.user $value.password) | indent 4 }}
-{{ end }}
+  {{- if (quote .Values.global.existingSecret | empty) }}
+    {{ range $key, $value := .Values.global.basicAuthUsers }}
+      {{- (htpasswd $value.user $value.password) | indent 4 }}
+    {{ end }}
+  {{- else }}
+    {{- $secret := lookup "v1" "Secret" $.Release.Namespace .Values.global.existingSecret }}
+    {{- if $secret }}
+      {{- range $user, $password := $secret.data }}
+        {{ htpasswd $user ($password | b64dec) | indent 4 }}
+      {{- end }}
+    {{- else}}
+      {{- fail (printf "Missing provided existingSecret for basicAuthUsers: %s" .Values.global.existingSecret) }}
+    {{- end }}
+  {{ end }}
 {{ end }}
 ---
 {{- end }}
diff --git a/deployment/helm/ditto/templates/nginx-ingress-auth.yaml b/deployment/helm/ditto/templates/nginx-ingress-auth.yaml
index 9179f84a06e..209c394f820 100644
--- a/deployment/helm/ditto/templates/nginx-ingress-auth.yaml
+++ b/deployment/helm/ditto/templates/nginx-ingress-auth.yaml
@@ -24,13 +24,24 @@ type: Opaque
 stringData:
   auth: |-
 {{- if .Values.global.hashedBasicAuthUsers }}
-{{ range .Values.global.hashedBasicAuthUsers }}
-{{- . | indent 4 }}
-{{ end }}
+  {{ range .Values.global.hashedBasicAuthUsers }}
+    {{- . | indent 4 }}
+  {{ end }}
 {{- else }}
-{{ range $key, $value := .Values.global.basicAuthUsers }}
-{{- (htpasswd $value.user $value.password) | indent 4 }}
-{{ end }}
+  {{- if (quote .Values.global.existingSecret | empty) }}
+    {{ range $key, $value := .Values.global.basicAuthUsers }}
+      {{- (htpasswd $value.user $value.password) | indent 4 }}
+    {{ end }}
+  {{- else }}
+    {{- $secret := lookup "v1" "Secret" $.Release.Namespace .Values.global.existingSecret }}
+    {{- if $secret }}
+      {{- range $user, $password := $secret.data }}
+        {{ htpasswd $user ($password | b64dec) | indent 4 }}
+      {{- end }}
+    {{- else}}
+      {{- fail (printf "Missing provided existingSecret for basicAuthUsers: %s" .Values.global.existingSecret) }}
+    {{- end }}
+  {{ end }}
 {{ end }}
 ---
 {{- end }}
diff --git a/deployment/helm/ditto/values.yaml b/deployment/helm/ditto/values.yaml
index 6f47cdb1157..bddadb2c6be 100644
--- a/deployment/helm/ditto/values.yaml
+++ b/deployment/helm/ditto/values.yaml
@@ -74,6 +74,13 @@ global:
   #   password: ditto
   # - user: jane
   #   password: janesPw
+
+  # existingSecret contains the name of existing secret containing user and password
+  #  format: ${user}:${password}, where secret key is ${user} and value is ${password}
+  #  example creating secret for users ditto and jane:
+  #    kubectl create secret generic ditto-basic-auth --from-literal ditto=ditto --from-literal jane=janesPw
+  #  if not set then basicAuthUsers values are used.
+  existingSecret:
   # hashedBasicAuthUsers configures a list of hashed .htpasswd username/password entries
   hashedBasicAuthUsers: []
   # jwtOnly controls whether only OpenID-Connect authentication is supported