diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot-staging/argocd-apps-gitea-sonarqube-bot-staging-secret-from-vault.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot-staging/argocd-apps-gitea-sonarqube-bot-staging-secret-from-vault.yaml
index 304a9c6..4022cdd 100644
--- a/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot-staging/argocd-apps-gitea-sonarqube-bot-staging-secret-from-vault.yaml
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot-staging/argocd-apps-gitea-sonarqube-bot-staging-secret-from-vault.yaml
@@ -13,8 +13,8 @@ metadata:
     vault.security.banzaicloud.io/vault-path: "avroid-office"
 type: Opaque
 data:
-  gitea_sonarqube_bot_staging_gitea_token_value: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uZ2l0ZWEudG9rZW4udmFsdWU=
-  gitea_sonarqube_bot_staging_gitea_webhook_secret: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uZ2l0ZWEud2ViaG9vay5zZWNyZXQ=
-  gitea_sonarqube_bot_staging_sonarqube_token_value: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uc29uYXJxdWJlLnRva2VuLnZhbHVl
-  gitea_sonarqube_bot_staging_sonarqube_webhook_secret: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uc29uYXJxdWJlLndlYmhvb2suc2VjcmV0
-  gitea_sonarqube_bot_staging_bitbucket_webhook_secret: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uYml0YnVja2V0LndlYmhvb2suc2VjcmV0
+  .gitea_token_value: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uZ2l0ZWEudG9rZW4udmFsdWU=
+  .gitea_webhook_secret: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uZ2l0ZWEud2ViaG9vay5zZWNyZXQ=
+  .sonarqube_token_value: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uc29uYXJxdWJlLnRva2VuLnZhbHVl
+  .sonarqube_webhook_secret: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uc29uYXJxdWJlLndlYmhvb2suc2VjcmV0
+  .bitbucket_webhook_secret: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uYml0YnVja2V0LndlYmhvb2suc2VjcmV0
diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot-staging/values-ovveride.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot-staging/values-ovveride.yaml
index 5ab74ca..60007dd 100644
--- a/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot-staging/values-ovveride.yaml
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot-staging/values-ovveride.yaml
@@ -59,9 +59,9 @@ app:
       ## User needs "Read project" permissions with access to "Pull Requests"
       ## @param app.configuration.gitea.token.value Gitea token as plain text. Can be replaced with `file` key containing path to file.
       token:
-        value: "${vault:team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging#app.configuration.gitea.token.value}"
+        # value: ""
         # # or path to file containing the plain text secret
-        # file: /bot/secrets/gitea/user-token
+        file: /bot/secrets/.gitea_token_value
 
       ## If the sent webhook has a signature header, the bot validates the request payload. If the value does not match, the
       ## request will be ignored.
@@ -70,9 +70,9 @@ app:
       ## @param app.configuration.gitea.webhook.secret Secret for signature header (in plaintext)
       ## @extra app.configuration.gitea.webhook.secretFile Path to file containing the plain text secret. Alternative to inline `app.configuration.gitea.webhook.secret`
       webhook:
-        secret: "${vault:team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging#app.configuration.gitea.webhook.secret}"
+        # secret: ""
         # # or path to file containing the plain text secret
-        # secretFile: /bot/secrets/gitea/webhook-secret
+        secretFile: /bot/secrets/.gitea_webhook_secret
 
     ## SonarQube related configuration. Necessary for requesting data from the API and processing the webhook.
     sonarqube:
@@ -83,9 +83,9 @@ app:
       ## User needs "Browse on project" permissions
       ## @param app.configuration.sonarqube.token.value SonarQube token as plain text. Can be replaced with `file` key containing path to file.
       token:
-        value: "${vault:team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging#app.configuration.sonarqube.token.value}"
+        # value: ""
         # # or path to file containing the plain text secret
-        # file: /bot/secrets/sonarqube/user-token
+        file: /bot/secrets/.sonarqube_token_value
 
       ## If the sent webhook has a signature header, the bot validates the request payload. If the value does not match, the
       ## request will be ignored.
@@ -95,9 +95,9 @@ app:
       ## @param app.configuration.sonarqube.webhook.secret Secret for signature header (in plaintext)
       ## @extra app.configuration.sonarqube.webhook.secretFile Path to file containing the plain text secret. Alternative to inline `app.configuration.sonarqube.webhook.secret`
       webhook:
-        secret: "${vault:team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging#app.configuration.sonarqube.webhook.secret}"
+        # secret: ""
         # # or path to file containing the plain text secret
-        # secretFile: /bot/secrets/sonarqube/webhook-secret
+        secretFile: /bot/secrets/.sonarqube_webhook_secret
 
     ## List of project mappings to take care of. Webhooks for other projects will be ignored.
     ## At least one must be configured. Otherwise, all webhooks (no matter which source) because the bot cannot map on its own.
@@ -123,9 +123,21 @@ app:
 
     bitbucket:
       webhook:
-        secret: "${vault:team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging#app.configuration.bitbucket.webhook.secret}"
+        secretFile: /bot/secrets/.bitbucket_webhook_secret
 
 
+## @param volumes If token and webhook secrets shall be provided via file, volumes and volume mounts can be configured to setup the environment accordingly
+volumes:
+  - name: gitea-sonarqube-bot-staging-secrets
+    secret:
+      secretName: gitea-sonarqube-bot-staging-secret-from-vault
+
+## @param volumeMounts If token and webhook secrets shall be provided via file, volumes and volume mounts can be configured to setup the environment accordingly
+volumeMounts:
+  - name: gitea-sonarqube-bot-staging-secrets
+    readOnly: true
+    mountPath: "/bot/secrets"
+
 ## @section Security parameters
 
 serviceAccount: