diff --git a/docs/external-secrets.md b/docs/external-secrets.md
index b83dbec1..08000f2f 100644
--- a/docs/external-secrets.md
+++ b/docs/external-secrets.md
@@ -13,6 +13,7 @@ This document covers how to utilise external secrets and special requirements.
   * [Cassandra](#cassandra)
   * [Keycloak](#keycloak)
   * [MinIO](#minio)
+  * [Notes](#notes)
   * [XWiki](#xwiki)
 <!-- TOC -->
 
@@ -73,6 +74,20 @@ stringData:
 
 Further we need the credentials introduced at MinIO in various other components that didn't implement the special format from MinIO. Hence we have to create key-value-pairs of the passwords for them.
 
+## Notes
+
+There are some values that consist of more than just one secret part.
+
+```yaml
+backend:
+  configuration:
+    django:
+      superuserEmail:
+        value: {{ printf "default.admin@%s" .Values.global.domain | quote }}
+    redisUrl:
+      value: "redis://default:{{ .Values.cache.notes.password | default .Values.secrets.redis.password }}@{{ .Values.cache.notes.host }}:{{ .Values.cache.notes.port }}/7"
+```
+
 ## XWiki
 
 Properties listed in the file of the external secret will overwrite plain values.
diff --git a/helmfile/apps/notes/values.yaml.gotmpl b/helmfile/apps/notes/values.yaml.gotmpl
index 0f1dc298..de7eab4e 100644
--- a/helmfile/apps/notes/values.yaml.gotmpl
+++ b/helmfile/apps/notes/values.yaml.gotmpl
@@ -4,12 +4,22 @@
 global:
   collaborationServerSecret:
     value: {{ .Values.secrets.notes.collaborationSecret | quote }}
+    existingSecret:
+      name: {{ .Values.externalSecrets.notes.collaborationSecret.name | quote }}
+      key: {{ .Values.externalSecrets.notes.collaborationSecret.key | quote }}
   fqdn: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
   tlsSecretName: {{ .Values.ingress.tls.secretName | quote }}
   yProviderApiKey:
     value: {{ .Values.secrets.notes.collaborationSecret | quote }}
+    existingSecret:
+      name: {{ .Values.externalSecrets.notes.collaborationSecret.name | quote }}
+      key: {{ .Values.externalSecrets.notes.collaborationSecret.key | quote }}
+  fqdn: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
+  tlsSecretName: {{ .Values.ingress.tls.secretName | quote }}
+  fqdn: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
+  tlsSecretName: {{ .Values.ingress.tls.secretName | quote }}
 
 backend:
   image:
@@ -36,14 +46,23 @@ backend:
     ai:
       apiKey:
         value: {{ .Values.ai.apiKey }}
+        existingSecret:
+          name: {{ .Values.externalSecrets.ai.apiKey.name | quote }}
+          key: {{ .Values.externalSecrets.ai.apiKey.key | quote }}
       baseUrl: {{ .Values.ai.endpoint }}
       model: {{ .Values.ai.model | quote }}
     aws:
       endpointUrl: {{ printf "https://%s" (.Values.objectstores.notes.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
       s3AccessKeyId:
         value: {{ .Values.objectstores.notes.username }}
+        existingSecret:
+          name: {{ .Values.externalSecrets.objectstores.notes.s3AccessKeyId.name | quote }}
+          key: {{ .Values.externalSecrets.objectstores.notes.s3AccessKeyId.key | quote }}
       s3SecretAccessKey:
         value: {{ .Values.objectstores.notes.secretKey | default .Values.secrets.minio.notesUser | quote }}
+        existingSecret:
+          name: {{ .Values.externalSecrets.objectstores.notes.s3SecretAccessKey.name | quote }}
+          key: {{ .Values.externalSecrets.objectstores.notes.s3SecretAccessKey.key | quote }}
       storageBucketName: {{ .Values.objectstores.notes.bucket }}
     collaboration:
       apiUrl: {{ printf "https://%s.%s/collaboration/api/" .Values.global.hosts.notes .Values.global.domain | quote }}
@@ -53,9 +72,15 @@ backend:
       name: {{ .Values.databases.notes.name | quote }}
       password:
         value: {{ .Values.databases.notes.password | default .Values.secrets.postgresql.notesUser | quote }}
+        existingSecret:
+          name: {{ .Values.externalSecrets.databases.notes.password.name | quote  }}
+          key: {{ .Values.externalSecrets.databases.notes.password.key | quote }}
       port: {{ .Values.databases.notes.port | quote }}
       user:
         value: {{ .Values.databases.notes.username | quote }}
+        existingSecret:
+          name: {{ .Values.externalSecrets.databases.notes.user.name | quote }}
+          key: {{ .Values.externalSecrets.databases.notes.user.key | quote }}
     email:
       brandName: "openDesk"
       from: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.mailDomain | default .Values.global.domain }}"
@@ -64,14 +89,23 @@ backend:
       logoImage: {{ printf "https://%s.%s/univention/portal/icons/entries/swp.notes.svg" .Values.global.hosts.nubus .Values.global.domain | quote }}
       user:
         value: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
+        existingSecret:
+          name: {{ .Values.externalSecrets.postfix.opendeskSystemUsername.name | quote }}
+          key: {{ .Values.externalSecrets.postfix.opendeskSystemUsername.key | quote }}
       password:
         value: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
+        existingSecret:
+          name: {{ .Values.externalSecrets.postfix.opendeskSystemPassword.name | quote }}
+          key: {{ .Values.externalSecrets.postfix.opendeskSystemPassword.key | quote }}
     oidc:
       enabled: true
       rpClientId:
         value: "opendesk-notes"
       rpClientSecret:
         value: {{ .Values.secrets.keycloak.clientSecret.notes | quote }}
+        existingSecret:
+          name: {{ .Values.externalSecrets.keycloak.clientSecret.notes.name | quote }}
+          key: {{ .Values.externalSecrets.keycloak.clientSecret.notes.key | quote }}
       opJWKSEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"
       opAuthorizationEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
       opTokenEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
@@ -88,14 +122,26 @@ backend:
     django:
       secretKey:
         value: {{ .Values.secrets.notes.djangoSecretKey }}
+        existingSecret:
+          name: {{ .Values.externalSecrets.notes.django.secretKey.name | quote }}
+          key: {{ .Values.externalSecrets.notes.django.secretKey.key | quote }}
       createSuperuser: true
       superuserEmail:
         value: {{ printf "default.admin@%s" .Values.global.domain | quote }}
+        existingSecret:
+          name: {{ .Values.externalSecrets.notes.django.superuserEmail.name | quote }}
+          key: {{ .Values.externalSecrets.notes.django.superuserEmail.key | quote }}
       superuserPassword:
         value: {{ .Values.secrets.notes.superuser }}
+        existingSecret:
+          name: {{ .Values.externalSecrets.notes.django.superuserPassword.name | quote }}
+          key: {{ .Values.externalSecrets.notes.django.superuserPassword.key | quote }}
     frontendTheme: "openDesk"
     redisUrl:
       value: "redis://default:{{ .Values.cache.notes.password | default .Values.secrets.redis.password }}@{{ .Values.cache.notes.host }}:{{ .Values.cache.notes.port }}/7"
+      existingSecret:
+        name: {{ .Values.externalSecrets.notes.redisUrl.name | quote }}
+        key: {{ .Values.externalSecrets.notes.redisUrl.key | quote }}
   extraEnvVars:
     - name: "FRONTEND_HOMEPAGE_FEATURE_ENABLED"
       value: "False"
diff --git a/helmfile/environments/default/external_secrets.yaml.gotmpl b/helmfile/environments/default/external_secrets.yaml.gotmpl
index e205f607..971bbab1 100644
--- a/helmfile/environments/default/external_secrets.yaml.gotmpl
+++ b/helmfile/environments/default/external_secrets.yaml.gotmpl
@@ -4,6 +4,10 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 externalSecrets:
+  ai:
+    apiKey:
+      name: "a"
+      key: "aiapikey"
   cache:
     intercom:
       password:
@@ -42,6 +46,13 @@ externalSecrets:
       username:
         name: ~
         key: ~
+    notes:
+      password:
+        name: "a"
+        key: "notesDatabasePassword"
+      user:
+        name: "a"
+        key: "notesDatabaseUser"
     xwiki:
       password:
         name:  ~
@@ -74,10 +85,13 @@ externalSecrets:
       intercom:
         name: ~
         key: ~
-      xwiki:
+      nextcloudOidc:
         name: ~
         key: ~
-      nextcloudOidc:
+      notes:
+        name: "a"
+        key: "keycloaknotes"
+      xwiki:
         name: ~
         key: ~
   minio:
@@ -96,6 +110,23 @@ externalSecrets:
     metricsToken:
       name: ~
       key: ~
+  notes:
+    collaborationSecret:
+      name: "a"
+      key: "notesCollaborationSecret"
+    django:
+      secretKey:
+        name: "a"
+        key: "notesDjangoSecretKey"
+      superuserEmail:
+        name: "a"
+        key: "notessuperuserEmail"
+      superuserPassword:
+        name: "a"
+        key: "notessuperuserPassword"
+    redisUrl:
+      name: "a"
+      key: "notesredisurl"
   nubus:
     ics:
       session:
@@ -125,6 +156,13 @@ externalSecrets:
       secretKey:
         name: ~
         key: ~
+    notes:
+      s3AccessKeyId:
+        name: "a"
+        key: "objectstoresNotesS3AccessKeyId"
+      s3SecretAccessKey:
+        name: "a"
+        key: "objectstoresNotesS3SecretAccessKey"
     nubus:
       accessKey:
         name: ~