diff --git a/stable/democratic-csi/examples/freenas-nfs.yaml b/stable/democratic-csi/examples/freenas-nfs.yaml
index a393a90..1c45b89 100644
--- a/stable/democratic-csi/examples/freenas-nfs.yaml
+++ b/stable/democratic-csi/examples/freenas-nfs.yaml
@@ -26,12 +26,31 @@ storageClasses:
     mountOptions:
       - noatime
       - nfsvers=3
-    secrets:
-      provisioner-secret:
-      controller-publish-secret:
-      node-stage-secret:
-      node-publish-secret:
-      controller-expand-secret:
+
+    # existingSecrets will look for an existing secret with name/namespace and use the values within for authentication
+    # the existing secret should contain something similar to with proper references for your secret:
+    #   target:
+    #     name: existingSecretName
+    #     template:
+    #       engineVersion: v2
+    #       data:
+    #          node-db.node.session.auth.authmethod: "CHAP"
+    #          node-db.node.session.auth.username: "{{ .iscsi_username }}"
+    #          node-db.node.session.auth.password: "{{ .iscsi_password }}"
+    #          node-db.node.session.auth.username_in: "{{ .iscsi_username_in }}"
+    #          node-db.node.session.auth.password_in: "{{ .iscsi_password_in }}"
+    existingSecret:
+      nfs-chap-secret:
+        name: existingSecretName
+        namespace: existingSecretNameSpace
+
+    # you can use EITHER an existingSecret or inline secrets below--not both.
+    # secrets:
+    #   provisioner-secret:
+    #   controller-publish-secret:
+    #   node-stage-secret:
+    #   node-publish-secret:
+    #   controller-expand-secret:
 
 # if your cluster supports snapshots you may enable below
 volumeSnapshotClasses: []
diff --git a/stable/democratic-csi/templates/storage-classes.yaml b/stable/democratic-csi/templates/storage-classes.yaml
index fee7d7e..52ed674 100644
--- a/stable/democratic-csi/templates/storage-classes.yaml
+++ b/stable/democratic-csi/templates/storage-classes.yaml
@@ -38,11 +38,19 @@ parameters:
   {{ $k }}: {{ $v | quote }}
 {{- end }}
 
-# this loop is deeply connected to the loop for Secret creation below
+{{- if $classRoot.existingSecrets }}
+# all or nothing for secrets -> either the chart manages your secret or you need to manually do so
+{{- range $k, $v := $classRoot.existingSecrets }}
+  csi.storage.k8s.io/{{ $k }}-name: {{ $v.name }}
+  csi.storage.k8s.io/{{ $k }}-namespace: {{ default $root.Release.Namespace $v.namespace }}
+{{- end }}
+{{- else }}
+# if no existingSecrets, this loop (and the Secret creation below) will create them
 {{- range $k, $v := $classRoot.secrets }}
   csi.storage.k8s.io/{{ $k }}-name: {{ printf "%s-%s-%s" $k $classRoot.name $fullName | trunc 63 | trimSuffix "-" }}
   csi.storage.k8s.io/{{ $k }}-namespace: {{ $root.Release.Namespace }}
 {{- end }}
+{{- end }}
 
 {{- if $classRoot.mountOptions }}
 mountOptions:
@@ -51,10 +59,13 @@ mountOptions:
 {{ end }}
 {{- end }}
 
-# this loop is deeply connected to the loop for secret parameter settings above
+# if any storageClasses, look for existingSecrets (and do nothing) or secrets (and create them)
+# exclusive operation -> if existingSecrets found, you must manually create properly formatted secrets.
 {{- if .Values.storageClasses -}}
 {{- range .Values.storageClasses }}
 {{- $classRoot := . -}}
+# if you have an existingSecret, we're not creating _any_ secrets for you
+{{- if not $classRoot.existingSecrets }}
 {{- range $k, $v := $classRoot.secrets }}
 ---
 apiVersion: v1
@@ -70,3 +81,4 @@ stringData:
 {{- end }}
 {{- end }}
 {{- end }}
+{{- end }}
diff --git a/stable/democratic-csi/values.yaml b/stable/democratic-csi/values.yaml
index 6cf42e2..8602a58 100644
--- a/stable/democratic-csi/values.yaml
+++ b/stable/democratic-csi/values.yaml
@@ -299,6 +299,26 @@ storageClasses: []
 #    # for nfs should be nfs
 #    fsType:
 #  mountOptions: []
+
+#  existingSecrets:
+#    anyName:  # can be any arbitrary name
+#      name: existingSecretName
+#     namespace: existingSecretNamespace
+
+# existingSecrets will look for an existing secret with name/namespace and use the values within for authentication
+# the existing secret should contain something similar to with proper references for your secret:
+#   target:
+#     name: existingSecretName
+#     template:
+#       engineVersion: v2
+#       data:
+#          node-db.node.session.auth.authmethod: "CHAP"
+#          node-db.node.session.auth.username: "{{ .iscsi_username }}"
+#          node-db.node.session.auth.password: "{{ .iscsi_password }}"
+#          node-db.node.session.auth.username_in: "{{ .iscsi_username_in }}"
+#          node-db.node.session.auth.password_in: "{{ .iscsi_password_in }}"
+# if you use an existingSecret -- any `secrets` below WILL BE IGNORED.
+
 #  secrets:
 #    provisioner-secret:
 #    controller-publish-secret: