diff --git a/templates/deployment.yaml b/templates/deployment.yaml
index 1bfa2f7..c91b18b 100644
--- a/templates/deployment.yaml
+++ b/templates/deployment.yaml
@@ -16,6 +16,7 @@ spec:
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
         checksum/nginx-config: {{ include (print $.Template.BasePath "/nginx-configmap.yaml") . | sha256sum }}
+        checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
         {{- with .Values.podAnnotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -117,13 +118,12 @@ spec:
           value: {{ .Values.phpmyadmin.env.MEMORY_LIMIT | quote }}
         - name: MAX_EXECUTION_TIME
           value: {{ .Values.phpmyadmin.env.MAX_EXECUTION_TIME | quote }}
-        {{- if or .Values.phpmyadmin.blowfishSecret .Values.phpmyadmin.existingSecret }}
+        {{- /* Secretは常に存在する（自動生成 or existingSecret）ため、常に注入する */}}
         - name: PMA_BLOWFISH_SECRET
           valueFrom:
             secretKeyRef:
               name: {{ .Values.phpmyadmin.existingSecret | default (include "phpmyadmin-nginx.fullname" .) }}
               key: blowfish-secret
-        {{- end }}
         ports:
         - name: php-fpm
           containerPort: 9000
diff --git a/templates/secret.yaml b/templates/secret.yaml
index 4fcd1e1..4f8bc70 100644
--- a/templates/secret.yaml
+++ b/templates/secret.yaml
@@ -1,21 +1,24 @@
-{{- if and (not .Values.phpmyadmin.existingSecret) .Values.phpmyadmin.blowfishSecret }}
+{{- if not .Values.phpmyadmin.existingSecret }}
+{{- $fullname := include "phpmyadmin-nginx.fullname" . }}
+{{- $secret := lookup "v1" "Secret" .Release.Namespace $fullname }}
+{{- $blowfishSecret := "" }}
+{{- if $secret }}
+  {{- /* 既存のSecretが存在する場合はその値を再利用（helm upgradeで値が変わらないように） */}}
+  {{- $blowfishSecret = index $secret.data "blowfish-secret" | b64dec }}
+{{- else if .Values.phpmyadmin.blowfishSecret }}
+  {{- /* values.yamlに明示的に指定された値を使用 */}}
+  {{- $blowfishSecret = .Values.phpmyadmin.blowfishSecret }}
+{{- else }}
+  {{- /* 初回インストール時のみランダム生成 */}}
+  {{- $blowfishSecret = randAlphaNum 32 }}
+{{- end }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ include "phpmyadmin-nginx.fullname" . }}
+  name: {{ $fullname }}
   labels:
     {{- include "phpmyadmin-nginx.labels" . | nindent 4 }}
 type: Opaque
 data:
-  blowfish-secret: {{ .Values.phpmyadmin.blowfishSecret | b64enc | quote }}
-{{- else if not .Values.phpmyadmin.existingSecret }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ include "phpmyadmin-nginx.fullname" . }}
-  labels:
-    {{- include "phpmyadmin-nginx.labels" . | nindent 4 }}
-type: Opaque
-data:
-  blowfish-secret: {{ randAlphaNum 32 | b64enc | quote }}
-{{- end }}
\ No newline at end of file
+  blowfish-secret: {{ $blowfishSecret | b64enc | quote }}
+{{- end }}