diff --git a/CHANGELOG.md b/CHANGELOG.md
index e1a7e63..bb7eadb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,14 @@
+# 6.8.0
+
+- LDAP passwords can be given as secrets:
+```yaml
+externalAuth:
+  ldap:
+    passwordSecretRef:
+      name: ldap-auth
+      key: password
+```
+
 # 6.7.0
 
 - Added support for `HTTPRoute` via the Gateway API:
diff --git a/Chart.yaml b/Chart.yaml
index 4c4aef2..e9a4bf1 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time
 # you make changes to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 6.7.0
+version: 6.8.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/templates/deployment-sidekiq.yaml b/templates/deployment-sidekiq.yaml
index a75d3c9..1965cfb 100644
--- a/templates/deployment-sidekiq.yaml
+++ b/templates/deployment-sidekiq.yaml
@@ -242,6 +242,13 @@ spec:
               value: "true"
             {{- end }}
             {{- end }}
+            {{- if and $context.Values.externalAuth.ldap.enabled $context.Values.externalAuth.ldap.passwordSecretRef.name }}
+            - name: LDAP_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $context.Values.externalAuth.ldap.passwordSecretRef.name }}
+                  value: {{ $context.Values.externalAuth.ldap.passwordSecretRef.key | default "password" }}
+            {{- end }}
           {{- if $context.Values.mastodon.metrics.prometheus.enabled }}
           ports:
             - name: prometheus
diff --git a/templates/deployment-streaming.yaml b/templates/deployment-streaming.yaml
index 6fa3078..4e5c810 100644
--- a/templates/deployment-streaming.yaml
+++ b/templates/deployment-streaming.yaml
@@ -137,6 +137,13 @@ spec:
             {{- end }}
             - name: "PORT"
               value: {{ .Values.mastodon.streaming.port | quote }}
+            {{- if and .Values.externalAuth.ldap.enabled .Values.externalAuth.ldap.passwordSecretRef.name }}
+            - name: LDAP_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.externalAuth.ldap.passwordSecretRef.name }}
+                  value: {{ .Values.externalAuth.ldap.passwordSecretRef.key | default "password" }}
+            {{- end }}
             {{- range $k, $v := .Values.mastodon.streaming.extraEnvVars }}
             - name: {{ $k }}
               value: {{ quote $v }}
diff --git a/templates/deployment-web.yaml b/templates/deployment-web.yaml
index bba77c8..e902e88 100644
--- a/templates/deployment-web.yaml
+++ b/templates/deployment-web.yaml
@@ -216,6 +216,13 @@ spec:
               value: "true"
             {{- end }}
             {{- end }}
+            {{- if and .Values.externalAuth.ldap.enabled .Values.externalAuth.ldap.passwordSecretRef.name }}
+            - name: LDAP_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.externalAuth.ldap.passwordSecretRef.name }}
+                  value: {{ .Values.externalAuth.ldap.passwordSecretRef.key | default "password" }}
+            {{- end }}
             - name: TEST_ENV_VALUE
               value: {{ .Values.mastodon.metrics.statsd.address }}
           volumeMounts:
diff --git a/values.yaml b/values.yaml
index 44ee3c0..148a1f7 100644
--- a/values.yaml
+++ b/values.yaml
@@ -924,6 +924,9 @@ externalAuth:
     # base:
     # bind_dn:
     # password:
+    # passwordSecretRef:
+    #   name:
+    #   key: password
     # uid: cn
     # mail: mail
     # search_filter: "(|(%{uid}=%{email})(%{mail}=%{email}))"