Hi,
You don't need the owner reference. If the [cluster]-es-internal-users secret exists with the correct entries in the data section, ECK will use that secret.
kubectl create secret generic quickstart-es-internal-users --from-literal=elastic-internal-probe=probepasswd --from-literal=elastic-internal=internalpasswd --from-literal=elastic-internal-keystore=keystorepasswd
Because secrets are mounted as read-only volumes, I doubt the elasticsearch-users tool can be used but I have not tried to use it that way and can't give you a definite answer.