diff --git a/kubernetes/apps/rook-ceph/rook-ceph/app/externalsecret.yaml b/kubernetes/apps/rook-ceph/rook-ceph/app/externalsecret.yaml
new file mode 100644
index 0000000000..cb39cb7742
--- /dev/null
+++ b/kubernetes/apps/rook-ceph/rook-ceph/app/externalsecret.yaml
@@ -0,0 +1,18 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: rook-ceph-dashboard
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: rook-ceph-dashboard-password # rook expects this name
+    template:
+      engineVersion: v2
+      data:
+        password: "{{ .ROOK_DASHBOARD_PASSWORD }}"
+  dataFrom:
+    - extract:
+        key: rook
diff --git a/kubernetes/apps/rook-ceph/rook-ceph/app/kustomization.yaml b/kubernetes/apps/rook-ceph/rook-ceph/app/kustomization.yaml
index 5dd7baca73..3e5aa62441 100644
--- a/kubernetes/apps/rook-ceph/rook-ceph/app/kustomization.yaml
+++ b/kubernetes/apps/rook-ceph/rook-ceph/app/kustomization.yaml
@@ -3,3 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ./helmrelease.yaml
+  - ./externalsecret.yaml
diff --git a/kubernetes/apps/rook-ceph/rook-ceph/ks.yaml b/kubernetes/apps/rook-ceph/rook-ceph/ks.yaml
index e1ed5eddab..d4e69843e2 100644
--- a/kubernetes/apps/rook-ceph/rook-ceph/ks.yaml
+++ b/kubernetes/apps/rook-ceph/rook-ceph/ks.yaml
@@ -6,6 +6,8 @@ metadata:
   namespace: flux-system
 spec:
   targetNamespace: rook-ceph
+  dependsOn:
+    - name: cluster-apps-external-secrets-stores
   path: ./kubernetes/apps/rook-ceph/rook-ceph/app
   prune: true
   sourceRef: