diff --git a/charts/ocis/templates/_common/_tplvalues.tpl b/charts/ocis/templates/_common/_tplvalues.tpl
index f6535cd7a..b4df98b82 100644
--- a/charts/ocis/templates/_common/_tplvalues.tpl
+++ b/charts/ocis/templates/_common/_tplvalues.tpl
@@ -249,3 +249,24 @@ oCIS serviceAccount settings
 {{- define "ocis.serviceAccount" -}}
 automountServiceAccountToken: true
 {{- end -}}
+
+{{/*
+oCIS secret wrapper
+
+@param .name          The name of the secret.
+@param .params          Dict containing data keys/values (plaintext).
+@para
+*/}}
+{{- define "ocis.secret" -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .name }}
+data:
+  {{- $secretObj := (lookup "v1" "Secret" .scope.Release.Namespace .name) | default dict }}
+  {{- $secretData := (get $secretObj "data") | default dict }}
+  {{- range $key, $value := .params }}
+  {{- $secretValue := (get $secretData $key) | default ($value | b64enc | quote)}}
+  {{ $key }}: {{ $secretValue }}
+  {{- end }}
+{{- end -}}
diff --git a/charts/ocis/templates/idm/secret.yaml b/charts/ocis/templates/idm/secret.yaml
new file mode 100644
index 000000000..f764ca7bd
--- /dev/null
+++ b/charts/ocis/templates/idm/secret.yaml
@@ -0,0 +1,6 @@
+{{- if ne .Values.externalUserManagement "enabled" }}
+{{- $params := (dict)}}
+{{- $_ := set $params "user-id" uuidv4 }}
+{{- $_ := set $params "password" (randAlphaNum 10) }}
+{{- include "ocis.secret" (dict "scope" . "name" .Values.secretRefs.adminUserSecretRef "params" $params)}}
+{{- end }}