diff --git a/ghost/ghost-app/deployment-ghost.yaml b/ghost/ghost-app/deployment-ghost.yaml
index a92acd0..4f21e1e 100644
--- a/ghost/ghost-app/deployment-ghost.yaml
+++ b/ghost/ghost-app/deployment-ghost.yaml
@@ -8,7 +8,7 @@ metadata:
 spec:
   replicas: 1
   strategy:
-    type: Recreate
+    type: RollingUpdate
   template:
     spec:
       securityContext:
@@ -23,8 +23,6 @@ spec:
           env:
             - name: BITNAMI_DEBUG
               value: "true"
-            - name: ALLOW_EMPTY_PASSWORD
-              value: "yes"
             - name: GHOST_DATABASE_HOST
               value: mariadb
             - name: GHOST_DATABASE_PORT_NUMBER
@@ -33,12 +31,22 @@ spec:
               value: bitnami_ghost
             - name: GHOST_DATABASE_USER
               value: bn_ghost
+            - name: GHOST_DATABASE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: mariadb
+                  key: mysql-password
             - name: GHOST_HOST
               value: example.com
             - name: GHOST_PORT_NUMBER
               value: "2368"
             - name: GHOST_USERNAME
               value: user
+            - name: GHOST_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: ghost-app
+                  key: ghost-password
             - name: GHOST_EMAIL
               value: user@example.com
             - name: GHOST_BLOG_TITLE
diff --git a/ghost/ghost-app/externalsecret.yaml b/ghost/ghost-app/externalsecret.yaml
new file mode 100644
index 0000000..d721c31
--- /dev/null
+++ b/ghost/ghost-app/externalsecret.yaml
@@ -0,0 +1,19 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: ghost-app
+  namespace: example
+  labels:
+    app.kubernetes.io/name: ghost-app
+spec:
+  refreshInterval: 1h # rate SecretManager pulls GCPSM
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: gcp-secret-provider # name of the SecretStore (or kind specified)
+  target:
+    name: ghost-app # name of the k8s Secret to be created
+    creationPolicy: Owner
+  dataFrom:
+  - extract:
+      key: blog-credentials # name of the GCPSM secret key
+      version: "2"
diff --git a/ghost/mariadb/externalsecret.yaml b/ghost/mariadb/externalsecret.yaml
new file mode 100644
index 0000000..5bf4ae5
--- /dev/null
+++ b/ghost/mariadb/externalsecret.yaml
@@ -0,0 +1,19 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: mariadb
+  namespace: example
+  labels:
+    app.kubernetes.io/name: mariadb
+spec:
+  refreshInterval: 1h # rate SecretManager pulls GCPSM
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: gcp-secret-provider # name of the SecretStore (or kind specified)
+  target:
+    name: mariadb # name of the k8s Secret to be created
+    creationPolicy: Owner
+  dataFrom:
+  - extract:
+      key: blog-db-credentials # name of the GCPSM secret key
+      version: "1"
diff --git a/ghost/mariadb/statefulset-mariadb.yaml b/ghost/mariadb/statefulset-mariadb.yaml
index c97e518..94886e2 100644
--- a/ghost/mariadb/statefulset-mariadb.yaml
+++ b/ghost/mariadb/statefulset-mariadb.yaml
@@ -26,12 +26,20 @@ spec:
           env:
             - name: BITNAMI_DEBUG
               value: "true"
+            - name: MARIADB_ROOT_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: mariadb
+                  key: mysql-root-password
+            - name: MARIADB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: mariadb
+                  key: mysql-password
             - name: MARIADB_USER
               value: bn_ghost
             - name: MARIADB_DATABASE
               value: bitnami_ghost
-            - name: ALLOW_EMPTY_PASSWORD
-              value: "true"
           ports:
             - name: mysql
               containerPort: 3306