diff --git a/cmd/gotk/create_source_bucket.go b/cmd/gotk/create_source_bucket.go
index 9511ab54af365ec9c885faa19939bdd314b10f49..7ed080e784bfaa5ab9ef9505c3c65a33a1858960 100644
--- a/cmd/gotk/create_source_bucket.go
+++ b/cmd/gotk/create_source_bucket.go
@@ -69,6 +69,7 @@ var (
 	sourceBucketSecretKey string
 	sourceBucketRegion    string
 	sourceBucketInsecure  bool
+	sourceBucketSecretRef string
 )
 
 func init() {
@@ -79,6 +80,7 @@ func init() {
 	createSourceBucketCmd.Flags().StringVar(&sourceBucketSecretKey, "secret-key", "", "the bucket secret key")
 	createSourceBucketCmd.Flags().StringVar(&sourceBucketRegion, "region", "", "the bucket region")
 	createSourceBucketCmd.Flags().BoolVar(&sourceBucketInsecure, "insecure", false, "for when connecting to a non-TLS S3 HTTP endpoint")
+	createSourceBucketCmd.Flags().StringVar(&sourceBucketSecretRef, "secret-ref", "", "the name of an existing secret containing credentials")
 
 	createSourceCmd.AddCommand(createSourceBucketCmd)
 }
@@ -88,7 +90,6 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("Bucket source name is required")
 	}
 	name := args[0]
-	secretName := fmt.Sprintf("bucket-%s", name)
 
 	if sourceBucketName == "" {
 		return fmt.Errorf("bucket-name is required")
@@ -126,6 +127,11 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 			},
 		},
 	}
+	if sourceHelmSecretRef != "" {
+		bucket.Spec.SecretRef = &corev1.LocalObjectReference{
+			Name: sourceBucketSecretRef,
+		}
+	}
 
 	if export {
 		return exportBucket(*bucket)
@@ -141,28 +147,32 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 
 	logger.Generatef("generating Bucket source")
 
-	secret := corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      secretName,
-			Namespace: namespace,
-		},
-		StringData: map[string]string{},
-	}
+	if sourceBucketSecretRef == "" {
+		secretName := fmt.Sprintf("bucket-%s", name)
 
-	if sourceBucketAccessKey != "" && sourceBucketSecretKey != "" {
-		secret.StringData["accesskey"] = sourceBucketAccessKey
-		secret.StringData["secretkey"] = sourceBucketSecretKey
-	}
+		secret := corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      secretName,
+				Namespace: namespace,
+			},
+			StringData: map[string]string{},
+		}
 
-	if len(secret.StringData) > 0 {
-		logger.Actionf("applying secret with the bucket credentials")
-		if err := upsertSecret(ctx, kubeClient, secret); err != nil {
-			return err
+		if sourceBucketAccessKey != "" && sourceBucketSecretKey != "" {
+			secret.StringData["accesskey"] = sourceBucketAccessKey
+			secret.StringData["secretkey"] = sourceBucketSecretKey
 		}
-		bucket.Spec.SecretRef = &corev1.LocalObjectReference{
-			Name: secretName,
+
+		if len(secret.StringData) > 0 {
+			logger.Actionf("applying secret with the bucket credentials")
+			if err := upsertSecret(ctx, kubeClient, secret); err != nil {
+				return err
+			}
+			bucket.Spec.SecretRef = &corev1.LocalObjectReference{
+				Name: secretName,
+			}
+			logger.Successf("authentication configured")
 		}
-		logger.Successf("authentication configured")
 	}
 
 	logger.Actionf("applying Bucket source")
diff --git a/cmd/gotk/create_source_git.go b/cmd/gotk/create_source_git.go
index 5330b5ad00484cdcf4c0a52dd6883b7877e8072e..495ab6548c3c39e50ab23f28de5f76056286ab2e 100644
--- a/cmd/gotk/create_source_git.go
+++ b/cmd/gotk/create_source_git.go
@@ -87,15 +87,17 @@ For private Git repositories, the basic authentication credentials are stored in
 }
 
 var (
-	sourceGitURL          string
-	sourceGitBranch       string
-	sourceGitTag          string
-	sourceGitSemver       string
-	sourceGitUsername     string
-	sourceGitPassword     string
+	sourceGitURL      string
+	sourceGitBranch   string
+	sourceGitTag      string
+	sourceGitSemver   string
+	sourceGitUsername string
+	sourceGitPassword string
+
 	sourceGitKeyAlgorithm flags.PublicKeyAlgorithm = "rsa"
 	sourceGitRSABits      flags.RSAKeyBits         = 2048
 	sourceGitECDSACurve                            = flags.ECDSACurve{Curve: elliptic.P384()}
+	sourceGitSecretRef    string
 )
 
 func init() {
@@ -108,6 +110,7 @@ func init() {
 	createSourceGitCmd.Flags().Var(&sourceGitKeyAlgorithm, "ssh-key-algorithm", sourceGitKeyAlgorithm.Description())
 	createSourceGitCmd.Flags().Var(&sourceGitRSABits, "ssh-rsa-bits", sourceGitRSABits.Description())
 	createSourceGitCmd.Flags().Var(&sourceGitECDSACurve, "ssh-ecdsa-curve", sourceGitECDSACurve.Description())
+	createSourceGitCmd.Flags().StringVarP(&sourceGitSecretRef, "secret-ref", "", "", "the name of an existing secret containing SSH or basic credentials")
 
 	createSourceCmd.AddCommand(createSourceGitCmd)
 }
@@ -162,6 +165,11 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	if export {
+		if sourceGitSecretRef != "" {
+			gitRepository.Spec.SecretRef = &corev1.LocalObjectReference{
+				Name: sourceGitSecretRef,
+			}
+		}
 		return exportGit(gitRepository)
 	}
 
@@ -175,7 +183,9 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 
 	withAuth := false
 	// TODO(hidde): move all auth prep to separate func?
-	if u.Scheme == "ssh" {
+	if sourceGitSecretRef != "" {
+		withAuth = true
+	} else if u.Scheme == "ssh" {
 		logger.Actionf("generating deploy key pair")
 		pair, err := generateKeyPair(ctx)
 		if err != nil {
@@ -240,8 +250,12 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 	logger.Generatef("generating GitRepository source")
 
 	if withAuth {
+		secretName := name
+		if sourceGitSecretRef != "" {
+			secretName = sourceGitSecretRef
+		}
 		gitRepository.Spec.SecretRef = &corev1.LocalObjectReference{
-			Name: name,
+			Name: secretName,
 		}
 	}
 
diff --git a/cmd/gotk/create_source_helm.go b/cmd/gotk/create_source_helm.go
index e8e61f416b2a7b2cc40090b5381b4c3e9fb13d2b..5598d0acb9e5955d3b4173498d30e06286da5ee1 100644
--- a/cmd/gotk/create_source_helm.go
+++ b/cmd/gotk/create_source_helm.go
@@ -63,12 +63,13 @@ For private Helm repositories, the basic authentication credentials are stored i
 }
 
 var (
-	sourceHelmURL      string
-	sourceHelmUsername string
-	sourceHelmPassword string
-	sourceHelmCertFile string
-	sourceHelmKeyFile  string
-	sourceHelmCAFile   string
+	sourceHelmURL       string
+	sourceHelmUsername  string
+	sourceHelmPassword  string
+	sourceHelmCertFile  string
+	sourceHelmKeyFile   string
+	sourceHelmCAFile    string
+	sourceHelmSecretRef string
 )
 
 func init() {
@@ -78,6 +79,7 @@ func init() {
 	createSourceHelmCmd.Flags().StringVar(&sourceHelmCertFile, "cert-file", "", "TLS authentication cert file path")
 	createSourceHelmCmd.Flags().StringVar(&sourceHelmKeyFile, "key-file", "", "TLS authentication key file path")
 	createSourceHelmCmd.Flags().StringVar(&sourceHelmCAFile, "ca-file", "", "TLS authentication CA file path")
+	createSourceHelmCmd.Flags().StringVarP(&sourceHelmSecretRef, "secret-ref", "", "", "the name of an existing secret containing TLS or basic auth credentials")
 
 	createSourceCmd.AddCommand(createSourceHelmCmd)
 }
@@ -87,7 +89,6 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("HelmRepository source name is required")
 	}
 	name := args[0]
-	secretName := fmt.Sprintf("helm-%s", name)
 
 	if sourceHelmURL == "" {
 		return fmt.Errorf("url is required")
@@ -122,6 +123,12 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 		},
 	}
 
+	if sourceHelmSecretRef != "" {
+		helmRepository.Spec.SecretRef = &corev1.LocalObjectReference{
+			Name: sourceHelmSecretRef,
+		}
+	}
+
 	if export {
 		return exportHelmRepository(*helmRepository)
 	}
@@ -135,51 +142,54 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	logger.Generatef("generating HelmRepository source")
+	if sourceHelmSecretRef == "" {
+		secretName := fmt.Sprintf("helm-%s", name)
 
-	secret := corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      secretName,
-			Namespace: namespace,
-		},
-		StringData: map[string]string{},
-	}
-
-	if sourceHelmUsername != "" && sourceHelmPassword != "" {
-		secret.StringData["username"] = sourceHelmUsername
-		secret.StringData["password"] = sourceHelmPassword
-	}
-
-	if sourceHelmCertFile != "" && sourceHelmKeyFile != "" {
-		cert, err := ioutil.ReadFile(sourceHelmCertFile)
-		if err != nil {
-			return fmt.Errorf("failed to read repository cert file '%s': %w", sourceHelmCertFile, err)
+		secret := corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      secretName,
+				Namespace: namespace,
+			},
+			StringData: map[string]string{},
 		}
-		secret.StringData["certFile"] = string(cert)
 
-		key, err := ioutil.ReadFile(sourceHelmKeyFile)
-		if err != nil {
-			return fmt.Errorf("failed to read repository key file '%s': %w", sourceHelmKeyFile, err)
+		if sourceHelmUsername != "" && sourceHelmPassword != "" {
+			secret.StringData["username"] = sourceHelmUsername
+			secret.StringData["password"] = sourceHelmPassword
 		}
-		secret.StringData["keyFile"] = string(key)
-	}
 
-	if sourceHelmCAFile != "" {
-		ca, err := ioutil.ReadFile(sourceHelmCAFile)
-		if err != nil {
-			return fmt.Errorf("failed to read repository CA file '%s': %w", sourceHelmCAFile, err)
+		if sourceHelmCertFile != "" && sourceHelmKeyFile != "" {
+			cert, err := ioutil.ReadFile(sourceHelmCertFile)
+			if err != nil {
+				return fmt.Errorf("failed to read repository cert file '%s': %w", sourceHelmCertFile, err)
+			}
+			secret.StringData["certFile"] = string(cert)
+
+			key, err := ioutil.ReadFile(sourceHelmKeyFile)
+			if err != nil {
+				return fmt.Errorf("failed to read repository key file '%s': %w", sourceHelmKeyFile, err)
+			}
+			secret.StringData["keyFile"] = string(key)
 		}
-		secret.StringData["caFile"] = string(ca)
-	}
 
-	if len(secret.StringData) > 0 {
-		logger.Actionf("applying secret with repository credentials")
-		if err := upsertSecret(ctx, kubeClient, secret); err != nil {
-			return err
+		if sourceHelmCAFile != "" {
+			ca, err := ioutil.ReadFile(sourceHelmCAFile)
+			if err != nil {
+				return fmt.Errorf("failed to read repository CA file '%s': %w", sourceHelmCAFile, err)
+			}
+			secret.StringData["caFile"] = string(ca)
 		}
-		helmRepository.Spec.SecretRef = &corev1.LocalObjectReference{
-			Name: secretName,
+
+		if len(secret.StringData) > 0 {
+			logger.Actionf("applying secret with repository credentials")
+			if err := upsertSecret(ctx, kubeClient, secret); err != nil {
+				return err
+			}
+			helmRepository.Spec.SecretRef = &corev1.LocalObjectReference{
+				Name: secretName,
+			}
+			logger.Successf("authentication configured")
 		}
-		logger.Successf("authentication configured")
 	}
 
 	logger.Actionf("applying HelmRepository source")
diff --git a/docs/cmd/gotk_create_source_bucket.md b/docs/cmd/gotk_create_source_bucket.md
index ded846198653bce7689fe377e4c8a00c19b3ed05..abfa06f720cb5fc8083fb2e45450d105f30e9cbb 100644
--- a/docs/cmd/gotk_create_source_bucket.md
+++ b/docs/cmd/gotk_create_source_bucket.md
@@ -45,6 +45,7 @@ gotk create source bucket [name] [flags]
       --provider sourceBucketProvider   the S3 compatible storage provider name, available options are: (generic, aws) (default generic)
       --region string                   the bucket region
       --secret-key string               the bucket secret key
+      --secret-ref string               the name of an existing secret containing credentials
 ```
 
 ### Options inherited from parent commands
diff --git a/docs/cmd/gotk_create_source_git.md b/docs/cmd/gotk_create_source_git.md
index e0be5c4814967a4fcff69aea79e23894b70b4fb7..4ee59b48f60d7baad1b847882371cfe2dc7cba29 100644
--- a/docs/cmd/gotk_create_source_git.md
+++ b/docs/cmd/gotk_create_source_git.md
@@ -58,6 +58,7 @@ gotk create source git [name] [flags]
       --branch string                          git branch (default "master")
   -h, --help                                   help for git
   -p, --password string                        basic authentication password
+      --secret-ref string                      the name of an existing secret containing SSH or basic credentials
       --ssh-ecdsa-curve ecdsaCurve             SSH ECDSA public key curve (p256, p384, p521) (default p384)
       --ssh-key-algorithm publicKeyAlgorithm   SSH public key algorithm (rsa, ecdsa, ed25519) (default rsa)
       --ssh-rsa-bits rsaKeyBits                SSH RSA public key bit size (multiplies of 8) (default 2048)
diff --git a/docs/cmd/gotk_create_source_helm.md b/docs/cmd/gotk_create_source_helm.md
index 5470e180ee34c3dc11a1d41a89ebcc3caefe060f..b3baeb1c7d89c2351dde9fb000f366f5dc70ddf0 100644
--- a/docs/cmd/gotk_create_source_helm.md
+++ b/docs/cmd/gotk_create_source_helm.md
@@ -38,13 +38,14 @@ gotk create source helm [name] [flags]
 ### Options
 
 ```
-      --ca-file string     TLS authentication CA file path
-      --cert-file string   TLS authentication cert file path
-  -h, --help               help for helm
-      --key-file string    TLS authentication key file path
-  -p, --password string    basic authentication password
-      --url string         Helm repository address
-  -u, --username string    basic authentication username
+      --ca-file string      TLS authentication CA file path
+      --cert-file string    TLS authentication cert file path
+  -h, --help                help for helm
+      --key-file string     TLS authentication key file path
+  -p, --password string     basic authentication password
+      --secret-ref string   the name of an existing secret containing TLS or basic auth credentials
+      --url string          Helm repository address
+  -u, --username string     basic authentication username
 ```
 
 ### Options inherited from parent commands