diff --git a/charts/artifact-keeper/README.md b/charts/artifact-keeper/README.md
index 3276226..e57f70a 100644
--- a/charts/artifact-keeper/README.md
+++ b/charts/artifact-keeper/README.md
@@ -95,7 +95,7 @@ kubectl delete pvc -l app.kubernetes.io/instance=ak -n artifact-keeper
 | edge | object | `{"affinity":{},"enabled":false,"env":{"CACHE_SIZE_MB":"10240","EDGE_HOST":"0.0.0.0","EDGE_PORT":"8081","HEARTBEAT_INTERVAL_SECS":"30","RUST_LOG":"info,artifact_keeper_edge=debug"},"image":{"pullPolicy":"Always","repository":"ghcr.io/artifact-keeper/artifact-keeper-edge","tag":"dev"},"nodeSelector":{},"podDisruptionBudget":{"enabled":false,"minAvailable":1},"replicaCount":1,"resources":{"limits":{"cpu":"500m","memory":"512Mi"},"requests":{"cpu":"50m","memory":"128Mi"}},"service":{"port":8081,"type":"ClusterIP"},"tolerations":[],"topologySpreadConstraints":[]}` | Edge replication service NOTE: The ghcr.io/artifact-keeper/artifact-keeper-edge image is not yet published. Setting edge.enabled: true will fail because the image cannot be pulled. Airgap operators should exclude this component from pre-pull lists until the edge image ships. Tracking: issue #56. |
 | edge.image.tag | string | `"dev"` | "dev" floating tag. Kept explicit (not empty) on purpose: the edge image is not published at the chart's appVersion yet, so inheriting appVersion would reference an image that does not exist. See the edge note above and issue #56. Leave empty ("") only once edge ships at the chart's appVersion. |
 | edge.tolerations | list | `[]` | Per-component scheduling (overrides global) |
-| externalDatabase | object | `{"database":"artifact_registry","existingSecret":"","existingSecretKey":"DATABASE_URL","host":"","password":"","port":5432,"username":""}` | External database (used when postgres.enabled=false) |
+| externalDatabase | object | `{"database":"artifact_registry","existingHostKey":"","existingPortKey":"","existingSecret":"","existingSecretKey":"DATABASE_URL","host":"","password":"","port":5432,"username":""}` | External database (used when postgres.enabled=false) |
 | externalSecrets | object | `{"enabled":false,"refreshInterval":"1h","secrets":{"dbCredentials":"artifact-keeper/${ENVIRONMENT}/db-credentials","dtAdminPassword":"artifact-keeper/${ENVIRONMENT}/dt-admin-password","jwtSecret":"artifact-keeper/${ENVIRONMENT}/jwt-secret","migrationEncryptionKey":"","opensearchAuth":"artifact-keeper/${ENVIRONMENT}/opensearch-auth","s3Keys":"artifact-keeper/${ENVIRONMENT}/s3-keys","smtpPassword":"artifact-keeper/${ENVIRONMENT}/smtp-password"},"storeKind":"ClusterSecretStore","storeName":"aws-secrets-manager"}` | External Secrets Operator When enabled, ExternalSecret CRDs replace the static Secret template. Requires External Secrets Operator installed on the cluster and a SecretStore or ClusterSecretStore configured for your provider. |
 | fullnameOverride | string | `""` |  |
 | gke.healthCheckPolicies.backend.requestPath | string | `"/livez"` | Health-check path for the backend BackendService. |
diff --git a/charts/artifact-keeper/templates/dtrack-deployment.yaml b/charts/artifact-keeper/templates/dtrack-deployment.yaml
index 2bb1b68..71498a0 100644
--- a/charts/artifact-keeper/templates/dtrack-deployment.yaml
+++ b/charts/artifact-keeper/templates/dtrack-deployment.yaml
@@ -91,11 +91,29 @@ spec:
               containerPort: 8080
               protocol: TCP
           env:
+            {{- if and (not .Values.postgres.enabled) .Values.externalDatabase.existingSecret }}
+            # Project host/port out of the operator-provided Secret so the JDBC
+            # URL below can reference them via $(VAR) expansion. Kubernetes
+            # expands env vars in declared order, so these MUST come before
+            # ALPINE_DATABASE_URL.
+            - name: _DTRACK_DB_HOST
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.externalDatabase.existingSecret }}
+                  key: {{ .Values.externalDatabase.existingHostKey | default "POSTGRES_HOST" }}
+            - name: _DTRACK_DB_PORT
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.externalDatabase.existingSecret }}
+                  key: {{ .Values.externalDatabase.existingPortKey | default "POSTGRES_PORT" }}
+            {{- end }}
             - name: ALPINE_DATABASE_MODE
               value: "external"
             - name: ALPINE_DATABASE_URL
               {{- if .Values.postgres.enabled }}
               value: "jdbc:postgresql://{{ include "artifact-keeper.fullname" . }}-postgres:5432/dependency_track"
+              {{- else if .Values.externalDatabase.existingSecret }}
+              value: "jdbc:postgresql://$(_DTRACK_DB_HOST):$(_DTRACK_DB_PORT)/dependency_track"
               {{- else }}
               value: "jdbc:postgresql://{{ .Values.externalDatabase.host }}:{{ .Values.externalDatabase.port }}/dependency_track"
               {{- end }}
diff --git a/charts/artifact-keeper/values.yaml b/charts/artifact-keeper/values.yaml
index aeaecd4..b021f66 100644
--- a/charts/artifact-keeper/values.yaml
+++ b/charts/artifact-keeper/values.yaml
@@ -437,6 +437,12 @@ externalDatabase:
   database: "artifact_registry"
   existingSecret: ""
   existingSecretKey: "DATABASE_URL"
+  # Keys in `existingSecret` holding the database host and port used by the
+  # dependency-track deployment to assemble its JDBC URL. Only consulted when
+  # `postgres.enabled=false` and `externalDatabase.existingSecret` is set.
+  # Default to "POSTGRES_HOST" / "POSTGRES_PORT" if left empty.
+  existingHostKey: ""
+  existingPortKey: ""
 
 # -- OpenSearch (full-text search engine)
 # Powers full-text artifact search. The backend auto-reindexes from