diff --git a/postgresql/templates/secret-audit.yaml b/postgresql/templates/secret-audit.yaml
new file mode 100644
index 0000000000..64dc3a41e2
--- /dev/null
+++ b/postgresql/templates/secret-audit.yaml
@@ -0,0 +1,26 @@
+{{/*
+Copyright 2020 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if .Values.manifests.secret_audit }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.secrets.postgresql.audit }}
+type: Opaque
+data:
+  AUDIT_PASSWORD: {{ .Values.endpoints.postgresql.auth.audit.password | b64enc }}
+{{- end }}
diff --git a/postgresql/templates/statefulset.yaml b/postgresql/templates/statefulset.yaml
index b0e257eba0..38a6af4a14 100644
--- a/postgresql/templates/statefulset.yaml
+++ b/postgresql/templates/statefulset.yaml
@@ -332,6 +332,18 @@ spec:
               value: $(PATRONI_SUPERUSER_PASSWORD)
             - name: PATRONI_{{ .Values.endpoints.postgresql.auth.admin.username }}_OPTIONS
               value: 'createrole,createdb'
+{{- if .Values.manifests.secret_audit }}
+            - name: AUDIT_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secrets.postgresql.audit }}
+                  key: AUDIT_PASSWORD
+            # Adding the audit user with no options just adds the user without
+            # any GRANTs. This means the user gets to do only what default
+            # PUBLIC permissions allow, which is only to SELECT from tables.
+            - name: PATRONI_{{ .Values.endpoints.postgresql.auth.audit.username }}_PASSWORD
+              value: $(AUDIT_PASSWORD)
+{{- end }}
             - name: PGSSLROOTCERT
               value: {{ .Values.secrets.pki.client_cert_path }}/ca.crt
             - name: PGSSLCERT
diff --git a/postgresql/values.yaml b/postgresql/values.yaml
index 402d24d50e..9181412ae4 100644
--- a/postgresql/values.yaml
+++ b/postgresql/values.yaml
@@ -378,6 +378,7 @@ secrets:
     replica: postgresql-replication-pki
     server: postgresql-server-pki
     exporter: postgresql-exporter
+    audit: postgresql-audit
 
 endpoints:
   cluster_domain_suffix: cluster.local
@@ -403,6 +404,9 @@ endpoints:
       exporter:
         username: psql_exporter
         password: psql_exp_pass
+      audit:
+        username: audit
+        password: password
     hosts:
       default: postgresql
     host_fqdn_override:
@@ -445,6 +449,7 @@ manifests:
   secret_replica: true
   secret_server: true
   secret_etc: true
+  secret_audit: true
   service: true
   statefulset: true
   cron_job_postgresql_backup: false