diff --git a/Chart.yaml b/Chart.yaml
index 5f71b50..a031cc1 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -7,4 +7,4 @@ keywords:
 - confidential-containers
 name: trustee
 # DO NOT EDIT VERSION HERE, IT IS AUTO-GENERATED BY SEMANTIC-RELEASE
-version: 0.2.0
+version: 0.2.1
diff --git a/README.md b/README.md
index 2d8334a..9d7fba2 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 # trustee
 
-![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square)
+![Version: 0.2.1](https://img.shields.io/badge/Version-0.2.1-informational?style=flat-square)
 
 A Helm chart to provide an opinionated deployment of Trustee in a validated pattern
 
@@ -32,6 +32,7 @@ In order to use this chart, you will need to:
 | global.coco.securityPolicyFlavour | string | `"insecure"` |  |
 | global.secretStore.backend | string | `""` |  |
 | kbs.cosignKeys | string | `"secret/data/hub/coSignKeys"` |  |
+| kbs.extraSecrets | list | `[]` |  |
 | kbs.publicKey | string | `"secret/data/hub/kbsPublicKey"` |  |
 | kbs.secretResources[0].key | string | `"secret/data/hub/kbsres1"` |  |
 | kbs.secretResources[0].name | string | `"kbsres1"` |  |
diff --git a/templates/kbs.yaml b/templates/kbs.yaml
index 95fb974..c0e3644 100644
--- a/templates/kbs.yaml
+++ b/templates/kbs.yaml
@@ -14,6 +14,9 @@ spec:
     {{- range .Values.kbs.secretResources }}
     - "{{ .name }}"
     {{- end }}
+    {{- range .Values.kbs.extraSecrets }}
+    - "{{ . }}"
+    {{- end }}
     {{- if eq .Values.global.coco.securityPolicyFlavour "signed" }}
     - "cosign-keys"
     {{- end }}
diff --git a/values.yaml b/values.yaml
index 8f70490..fa1a3af 100644
--- a/values.yaml
+++ b/values.yaml
@@ -36,6 +36,13 @@ kbs:
       key: "secret/data/hub/kbsres1"
     - name: "passphrase"
       key: "secret/data/hub/passphrase"
+  # Pre-existing secrets to add to kbsSecretResources without creating
+  # ExternalSecrets. Use this for secrets that are created outside the
+  # Vault/ESO flow (e.g. by imperative jobs, cert-manager, or other
+  # controllers). Only the secret name is needed; the secret must already
+  # exist in the trustee-operator-system namespace.
+  extraSecrets: []
+
   # Intel TDX (Trust Domain Extensions) configuration
   tdx:
     # Enable TDX attestation support