diff --git a/infrastructure/databases/mariadb-clusters/kustomization.yaml b/infrastructure/databases/mariadb-clusters/kustomization.yaml
index 5054e39..c690e6d 100644
--- a/infrastructure/databases/mariadb-clusters/kustomization.yaml
+++ b/infrastructure/databases/mariadb-clusters/kustomization.yaml
@@ -3,3 +3,4 @@ kind: Kustomization
 resources:
 - mariadb.yaml
 - namespace.yaml
+- mariadb-clustersecrets.yaml
diff --git a/infrastructure/databases/mariadb-clusters/mariadb-clustersecrets.yaml b/infrastructure/databases/mariadb-clusters/mariadb-clustersecrets.yaml
new file mode 100644
index 0000000..a41a2f0
--- /dev/null
+++ b/infrastructure/databases/mariadb-clusters/mariadb-clustersecrets.yaml
@@ -0,0 +1,22 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: mariadb-secrets
+  namespace: mariadb-databases
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: bitwarden
+    kind: ClusterSecretStore
+  target:
+    name: mariadb-secrets
+    creationPolicy: Owner
+    template:
+      engineVersion: v2
+      mergePolicy: Merge
+      data:
+        password: '{{ index . "mariadb-cluster-root-password" }}'
+  data:
+    - secretKey: mariadb-cluster-root-password
+      remoteRef:
+        key: mariadb-cluster-root-password