diff --git a/helmfile/apps/nubus/values-nubus.yaml.gotmpl b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
index 717a11c2..9e658ed9 100644
--- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
@@ -27,6 +27,32 @@ global:
       defaultAdminPassword: {{ .Values.secrets.nubus.defaultAccounts.adminPassword | quote}}
       defaultUserPassword: {{ .Values.secrets.nubus.defaultAccounts.userPassword | quote}}
       defaultAdministratorPassword: {{ .Values.secrets.nubus.systemAccounts.administratorPassword | quote}}
+    portalConsumer:
+      minio:
+        accessKey: {{ .Values.objectstores.nubus.username | quote }}
+        secretKey: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
+      provisioningApi:
+        password: {{ .Values.secrets.nubus.portalConsumer.provisioningApiPassword | quote}}
+    portalListener:
+      minio:
+        secretKey: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
+    provisioning:
+      api:
+        adminPassword: {{ .Values.secrets.nubus.provisioning.api.adminPassword | quote}}
+        natsPassword: {{ .Values.secrets.nubus.provisioning.api.natsPassword | quote}}
+        prefillPassword: {{ .Values.secrets.nubus.provisioning.api.prefillPassword | quote}}
+        udmTransformerPassword: {{ .Values.secrets.nubus.provisioning.api.udmTransformerPassword | quote}}
+      dispatcher:
+        natsPassword: {{ .Values.secrets.nubus.provisioning.dispatcherNatsPassword | quote}}
+      nats:
+        adminPassword: {{ .Values.secrets.nats.natsAdminPassword | quote}}
+      prefill:
+        natsPassword: {{ .Values.secrets.nubus.provisioning.prefillNatsPassword | quote}}
+      udmTransformer:
+        natsPassword: {{ .Values.secrets.nubus.provisioning.udmTransformerNatsPassword | quote}}
+    selfserviceConsumer:
+      provisioningApi:
+        password: {{ .Values.secrets.nubus.selfserviceConsumer.provisioningApiPassword | quote}}
 
   # -- Extensions to load. Add entries to load additional extensions into Nubus.
   extensions:
@@ -283,10 +309,6 @@ nubusPortalConsumer:
     logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
     objectStorageEndpoint: {{ .Values.objectstores.nubus.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
     objectStorageBucket: {{ .Values.objectstores.nubus.bucket | quote }}
-    objectStorageCredentialSecret:
-      name: "ums-portal-consumer-minio-opendesk-credentials"
-      accessKeyKey: "access-key-id"
-      secretKeyKey: "secret-key-id"
   provisioningApi:
     auth:
       username: "portal-consumer"
@@ -518,14 +540,6 @@ extraSecrets:
     stringData:
       access-key-id: {{ .Values.objectstores.nubus.username | quote }}
       secret-key-id: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
-  - name: "ums-portal-consumer-minio-opendesk-credentials"
-    stringData:
-      access-key-id: {{ .Values.objectstores.nubus.username | quote }}
-      secret-key-id: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
-  - name: "ums-portal-consumer-minio-opendesk-credentials"
-    stringData:
-      access-key-id: {{ .Values.objectstores.nubus.username | quote }}
-      secret-key-id: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
   - name: "ums-umc-server-smtp-credentials-custom"
     stringData:
       password: ""
diff --git a/helmfile/environments/default/secrets.gotmpl b/helmfile/environments/default/secrets.gotmpl
index f662f5d2..3d58934c 100644
--- a/helmfile/environments/default/secrets.gotmpl
+++ b/helmfile/environments/default/secrets.gotmpl
@@ -34,21 +34,19 @@ secrets:
     systemAccounts:
       administratorPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "Administrator" | sha1sum | quote }}
       sysIdpUserPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "sysIdpUser" | sha1sum | quote }}
-    storeDavUsers:
-      portalServer: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-server" "store-dav" | sha1sum | quote }}
-      portalConsumer: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-consumer" "store-dav" | sha1sum | quote }}
+    portalConsumer:
+      provisioningApiPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-consumer" "provisioning-api" | sha1sum | quote }}
+    selfserviceConsumer:
+      provisioningApiPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "selfservice-consumer" "provisioning-api" | sha1sum | quote }}
     provisioning:
-      apiNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "nats" | sha1sum | quote }}
-      apiAdminNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "apiAdmin" "nats" | sha1sum | quote }}
-      apiAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "admin_api" | sha1sum | quote }}
-      dispatcherPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "dispatcher_service" | sha1sum | quote }}
-      prefillPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "prefill_service" | sha1sum | quote }}
-      prefillNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "nats" | sha1sum | quote }}
-      udmProducerPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmproducer" "events_api" | sha1sum | quote }}
+      api:
+        adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "admin_api" | sha1sum | quote }}
+        natsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "nats" | sha1sum | quote }}
+        prefillPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "prefill_service" | sha1sum | quote }}
+        udmTransformerPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmproducer" "events_api" | sha1sum | quote }}
       dispatcherNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "nats" | sha1sum | quote }}
-      dispatcherUdmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
-      udmListenerNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmlistener" "nats" | sha1sum | quote }}
-      udmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
+      prefillNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "nats" | sha1sum | quote }}
+      udmTransformerNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmTransformer" "nats" | sha1sum | quote }}
     guardian:
       udmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
   nats: