diff --git a/share/wildduck/secret.tf b/share/wildduck/secret.tf
index eab818c..7d319db 100644
--- a/share/wildduck/secret.tf
+++ b/share/wildduck/secret.tf
@@ -1,50 +1,72 @@
+resource "random_password" "srs" {
+  length           = 32
+  special          = false
+}
+
+resource "random_password" "zonemta" {
+  length           = 32
+  special          = false
+}
+
+resource "random_password" "webmail" {
+  length           = 32
+  special          = false
+}
+
+resource "random_password" "totp" {
+  length           = 32
+  special          = false
+}
+
+resource "random_password" "access" {
+  length           = 32
+  special          = false
+}
+
+resource "random_password" "authentik" {
+  length           = 32
+  special          = false
+}
+
+resource "random_password" "default" {
+  length           = 8
+  special          = false
+}
+
+resource "random_password" "scim-seed" {
+  length           = 16
+  special          = false
+}
+
+locals {
+  secrets = {
+    srs     = random_password.srs.result
+    zonemta = random_password.zonemta.result
+    webmail = random_password.webmail.result
+    totp    = random_password.totp.result
+    dkim    = random_password.dkim.result
+    access  = random_password.access.result
+    authentik = random_password.authentik.result
+  }
+}
+
 resource "kubectl_manifest" "wildduck_secret" {
-  ignore_fields = ["metadata.annotations"]
   yaml_body  = <<-EOF
-    apiVersion: "secretgenerator.mittwald.de/v1alpha1"
-    kind: "StringSecret"
+    apiVersion: v1
+    kind: Secret
     metadata:
       name: "${var.instance}"
       namespace: "${var.namespace}"
       labels: ${jsonencode(local.common_labels)}
-    spec:
-      forceRegenerate: false
-      fields:
-      - fieldName: "srs"
-        length: "32"
-      - fieldName: "zonemta"
-        length: "32"
-      - fieldName: "webmail"
-        length: "32"
-      - fieldName: "totp"
-        length: "32"
-      - fieldName: "dkim"
-        length: "32"
-      - fieldName: "access"
-        length: "32"
-      - fieldName: "authentik" # Bearer for authentik to wildduck-scim
-        length: "32"
-      - fieldName: "default" # Default user password
-        length: "8"
-      - fieldName: "scim-seed"
-        length: "16"
-  EOF
+    stringData:
+      srs: "${local.srs}"
+      zonemta: "${local.zonemta}"
+      webmail: "${local.webmail}"
+      totp: "${local.totp}"
+      dkim: "${local.dkim}"
+      access: "${local.access}"
+      authentik: "${local.authentik}"
+      default: "${random_password.default.result}"
+      scim-seed: "${random_password.scim-seed.result}"
+EOF
 }
-data "kubernetes_secret_v1" "wildduck" {
-  depends_on = [ kubectl_manifest.wildduck_secret ]
-  metadata {
-    name = var.instance
-    namespace = var.namespace
-  }
-}
-locals {
-  secrets = {
-    srs     = data.kubernetes_secret_v1.wildduck.data["srs"]
-    zonemta = data.kubernetes_secret_v1.wildduck.data["zonemta"]
-    webmail = data.kubernetes_secret_v1.wildduck.data["webmail"]
-    totp    = data.kubernetes_secret_v1.wildduck.data["totp"]
-    dkim    = data.kubernetes_secret_v1.wildduck.data["dkim"]
-    access  = data.kubernetes_secret_v1.wildduck.data["access"]
-    authentik = data.kubernetes_secret_v1.wildduck.data["authentik"]
-  }
-}
\ No newline at end of file