diff --git a/kubernetes/apps/media/immich/app/externalsecret.yaml b/kubernetes/apps/media/immich/app/externalsecret.yaml
index c77deaac..d093fd4c 100644
--- a/kubernetes/apps/media/immich/app/externalsecret.yaml
+++ b/kubernetes/apps/media/immich/app/externalsecret.yaml
@@ -13,7 +13,7 @@ spec:
     template:
       engineVersion: v2
       data:
-        DATABASE_URI: "postgresql://{{ .user }}:{{ .password }}@immich-primary-real.media.svc:{{ .port }}/{{ .dbname }}"
+        DATABASE_URI: "postgresql://{{ .DATABASE_USER }}:{{ .DATABASE_PASSWORD }}@immich-primary-real.media.svc:{{ .DATABASE_PORT }}/{{ .DATABASE_NAME }}"
   dataFrom:
     - extract:
-        key: immich-pguser-immich
+        key: immich
diff --git a/kubernetes/apps/media/immich/app/helmrelease.yaml b/kubernetes/apps/media/immich/app/helmrelease.yaml
index def62ac7..5e1a5f69 100644
--- a/kubernetes/apps/media/immich/app/helmrelease.yaml
+++ b/kubernetes/apps/media/immich/app/helmrelease.yaml
@@ -58,8 +58,8 @@ spec:
               DB_URL:
                 valueFrom:
                   secretKeyRef:
-                    name: immich-pguser-immich
-                    key: uri
+                    name: immich-secret
+                    key: DATABASE_URI
             envFrom:
               - configMapRef:
                   name: immich-app-config
diff --git a/kubernetes/apps/media/immich/app/kustomization.yaml b/kubernetes/apps/media/immich/app/kustomization.yaml
index 2fa8b224..e2d93ed7 100644
--- a/kubernetes/apps/media/immich/app/kustomization.yaml
+++ b/kubernetes/apps/media/immich/app/kustomization.yaml
@@ -10,6 +10,7 @@ resources:
   - ./machine-learning
   - ./microservices
   - ./postgresCluster.yaml
+  - ./pushsecret.yaml
   - ./service.yaml
 configMapGenerator:
   - name: immich-databse-init-sql
diff --git a/kubernetes/apps/media/immich/app/pushsecret.yaml b/kubernetes/apps/media/immich/app/pushsecret.yaml
new file mode 100644
index 00000000..e2a8ca31
--- /dev/null
+++ b/kubernetes/apps/media/immich/app/pushsecret.yaml
@@ -0,0 +1,40 @@
+---
+# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/pushsecret_v1alpha1.json
+apiVersion: external-secrets.io/v1alpha1
+kind: PushSecret
+metadata:
+  name: immich
+spec:
+  refreshInterval: 1h
+  secretStoreRefs:
+    - name: onepassword-connect
+      kind: ClusterSecretStore
+  selector:
+    secret:
+      name: immich-pguser-immich
+  data:
+    - match:
+        secretKey: dbname
+        remoteRef:
+          remoteKey: immich
+          property: DATABASE_NAME
+    - match:
+        secretKey: host
+        remoteRef:
+          remoteKey: immich
+          property: DATABASE_HOST
+    - match:
+        secretKey: user
+        remoteRef:
+          remoteKey: immich
+          property: DATABASE_USER
+    - match:
+        secretKey: password
+        remoteRef:
+          remoteKey: immich
+          property: DATABASE_PASSWORD
+    - match:
+        secretKey: port
+        remoteRef:
+          remoteKey: immich
+          property: DATABASE_PORT
\ No newline at end of file