diff --git a/src/main/clj/dda/k8s_keycloak/base64.clj b/src/main/clj/dda/k8s_keycloak/base64.clj
new file mode 100644
index 0000000..a5de51a
--- /dev/null
+++ b/src/main/clj/dda/k8s_keycloak/base64.clj
@@ -0,0 +1,14 @@
+(ns dda.k8s-keycloak.base64
+  (:import (java.util Base64)))
+
+(defn encode
+  [string]
+  (.encodeToString 
+   (Base64/getEncoder) 
+   (.getBytes string))) 
+
+(defn decode
+  [string]
+  (String. 
+   (.decode (Base64/getDecoder) string) 
+   "UTF-8"))
\ No newline at end of file
diff --git a/src/main/cljc/dda/k8s_keycloak/common.cljc b/src/main/cljc/dda/k8s_keycloak/common.cljc
index 56a2b9b..0d36b97 100644
--- a/src/main/cljc/dda/k8s_keycloak/common.cljc
+++ b/src/main/cljc/dda/k8s_keycloak/common.cljc
@@ -21,11 +21,21 @@
   (clojure.walk/postwalk #(if (and (map? %)
                                    (= name (:name %)))
                             {:name name :value value}
-                            %) coll))
+                            %) 
+                         coll))
+
+(defn replace-key-value
+  [coll key value]
+  (clojure.walk/postwalk #(if (and (map? %)
+                                   (contains? % key))
+                            (assoc % key value)
+                            %)
+                         coll))
 
 (defn replace-all-matching-values-by-new-value
   [coll value-to-match value-to-replace]
   (clojure.walk/postwalk #(if (and (= (type value-to-match) (type %))
                                    (= value-to-match %))
                             value-to-replace
-                            %) coll))
+                            %) 
+                         coll))
diff --git a/src/main/cljc/dda/k8s_keycloak/core.cljc b/src/main/cljc/dda/k8s_keycloak/core.cljc
index c5ac7f6..e3b95c8 100644
--- a/src/main/cljc/dda/k8s_keycloak/core.cljc
+++ b/src/main/cljc/dda/k8s_keycloak/core.cljc
@@ -62,10 +62,12 @@
    my-auth auth?]
   (cs/join "\n"
            [(yaml/to-string (pg/generate-config))
+            "---"
+            (yaml/to-string (pg/generate-secret my-auth))
             "---"
             (yaml/to-string (pg/generate-service))
             "---"
-            (yaml/to-string (pg/generate-deployment my-auth))
+            (yaml/to-string (pg/generate-deployment))
             "---"
             (yaml/to-string (generate-config my-config my-auth))
             "---"
diff --git a/src/main/cljc/dda/k8s_keycloak/postgres.cljc b/src/main/cljc/dda/k8s_keycloak/postgres.cljc
index dd9d797..152cd4e 100644
--- a/src/main/cljc/dda/k8s_keycloak/postgres.cljc
+++ b/src/main/cljc/dda/k8s_keycloak/postgres.cljc
@@ -2,6 +2,7 @@
   (:require
    [clojure.spec.alpha :as s]
    [dda.k8s-keycloak.yaml :as yaml]
+   [dda.k8s-keycloak.base64 :as b64]
    [dda.k8s-keycloak.common :as cm]))
 
 (s/def ::postgres-db-user cm/bash-env-string?)
@@ -10,12 +11,15 @@
 (defn generate-config []
    (yaml/from-string (yaml/load-resource "postgres/config.yaml")))
 
-(defn generate-deployment [my-auth]
+(defn generate-secret [my-auth]
   (let [{:keys [postgres-db-user postgres-db-password]} my-auth]
     (->
-     (yaml/from-string (yaml/load-resource "postgres/deployment.yaml"))
-     (cm/replace-named-value "POSTGRES_USER" postgres-db-user)
-     (cm/replace-named-value "POSTGRES_PASSWORD" postgres-db-password))))
+     (yaml/from-string (yaml/load-resource "postgres/secret.yaml"))
+     (cm/replace-key-value :postgres-user (b64/encode postgres-db-user))
+     (cm/replace-key-value :postgres-password (b64/encode postgres-db-password)))))
+
+(defn generate-deployment []
+  (yaml/from-string (yaml/load-resource "postgres/deployment.yaml")))
 
 (defn generate-service []
   (yaml/from-string (yaml/load-resource "postgres/service.yaml")))
diff --git a/src/main/cljs/dda/k8s_keycloak/base64.cljs b/src/main/cljs/dda/k8s_keycloak/base64.cljs
new file mode 100644
index 0000000..b05b234
--- /dev/null
+++ b/src/main/cljs/dda/k8s_keycloak/base64.cljs
@@ -0,0 +1,9 @@
+(ns dda.k8s-keycloak.base64)
+
+(defn encode
+  [string]
+  (.btoa js/window string))
+
+(defn decode
+  [string]
+  (.atob js/window string))
diff --git a/src/main/resources/postgres/deployment.yaml b/src/main/resources/postgres/deployment.yaml
index 9b9578a..af5c590 100644
--- a/src/main/resources/postgres/deployment.yaml
+++ b/src/main/resources/postgres/deployment.yaml
@@ -18,14 +18,20 @@ spec:
           name: postgresql
           env:
             - name: POSTGRES_USER
-              value: "psql-user"
+              valueFrom:
+                secretKeyRef:
+                  name: postgres-secret
+                  key: postgres-user
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: postgres-secret
+                  key: postgres-password
             - name: POSTGRES_DB
               valueFrom:
                 configMapKeyRef:
                   name: postgres-config
-                  key: postgres-db
-            - name: POSTGRES_PASSWORD
-              value: "psql-pw"
+                  key: postgres-db            
           ports:
             - containerPort: 5432
               name: postgresql
diff --git a/src/main/resources/postgres/secret.yaml b/src/main/resources/postgres/secret.yaml
new file mode 100644
index 0000000..ebf2b69
--- /dev/null
+++ b/src/main/resources/postgres/secret.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: postgres-secret
+type: Opaque
+data:
+  postgres-user: "psql-user"
+  postgres-password: "psql-pw"
diff --git a/src/test/cljc/dda/k8s_keycloak/postgres_test.cljc b/src/test/cljc/dda/k8s_keycloak/postgres_test.cljc
index 0421286..9b3d0fd 100644
--- a/src/test/cljc/dda/k8s_keycloak/postgres_test.cljc
+++ b/src/test/cljc/dda/k8s_keycloak/postgres_test.cljc
@@ -4,6 +4,16 @@
       :cljs [cljs.test :refer-macros [deftest is are testing run-tests]])
    [dda.k8s-keycloak.postgres :as cut]))
 
+(deftest should-generate-secret
+  (is (= {:apiVersion "v1"
+          :kind "Secret"
+          :metadata {:name "postgres-secret"}
+          :type "Opaque"
+          :data
+          {:postgres-user "cHNxbHVzZXI="
+           :postgres-password "dGVzdDEyMzQ="}}
+         (cut/generate-secret {:postgres-db-user "psqluser" :postgres-db-password "test1234"}))))
+
 (deftest should-generate-postgres-deployment
   (is (= {:apiVersion "apps/v1"
           :kind "Deployment"
@@ -18,11 +28,19 @@
              [{:image "postgres"
                :name "postgresql"
                :env
-               [{:name "POSTGRES_USER", :value "psqluser"}
-                {:name "POSTGRES_DB", :valueFrom
-                  {:configMapKeyRef
-                   {:name "postgres-config", :key "postgres-db"}}}
-                {:name "POSTGRES_PASSWORD", :value "test1234"}]
+               [{:name "POSTGRES_USER"
+                 :valueFrom
+                 {:secretKeyRef
+                  {:name "postgres-secret", :key "postgres-user"}}}
+                {:valueFrom
+                 {:secretKeyRef
+                  {:name "postgres-secret"
+                   :key "postgres-password"}}
+                 :name "POSTGRES_PASSWORD"}
+                {:valueFrom
+                 {:configMapKeyRef
+                  {:name "postgres-config", :key "postgres-db"}}
+                 :name "POSTGRES_DB"}]
                :ports [{:containerPort 5432, :name "postgresql"}]
                :volumeMounts
                [{:name "postgres-config-volume"
@@ -30,4 +48,4 @@
                  :subPath "postgresql.conf"
                  :readOnly true}]}]
              :volumes [{:name "postgres-config-volume", :configMap {:name "postgres-config"}}]}}}}
-    (cut/generate-deployment {:postgres-db-user "psqluser" :postgres-db-password "test1234"}))))
+    (cut/generate-deployment))))