diff --git a/infrastructure/addons/kustomization-rancher.yaml b/infrastructure/addons/kustomization-rancher.yaml
index 78e3cd5..46ba79c 100644
--- a/infrastructure/addons/kustomization-rancher.yaml
+++ b/infrastructure/addons/kustomization-rancher.yaml
@@ -16,4 +16,5 @@ spec:
   dependsOn:
     - name: addon-tailscale-operator
     - name: addon-tailscale-proxyclass
+    - name: addon-external-secrets
     - name: addon-cnpg
diff --git a/infrastructure/addons/rancher/helmrelease-rancher.yaml b/infrastructure/addons/rancher/helmrelease-rancher.yaml
index 12c3182..53282f6 100644
--- a/infrastructure/addons/rancher/helmrelease-rancher.yaml
+++ b/infrastructure/addons/rancher/helmrelease-rancher.yaml
@@ -55,3 +55,8 @@ spec:
             - matchExpressions:
                 - key: node-role.kubernetes.io/control-plane
                   operator: DoesNotExist
+  valuesFrom:
+    - kind: Secret
+      name: rancher-bootstrap-password
+      valuesKey: bootstrapPassword
+      targetPath: bootstrapPassword
diff --git a/infrastructure/addons/rancher/kustomization.yaml b/infrastructure/addons/rancher/kustomization.yaml
index 704e6b2..11901e5 100644
--- a/infrastructure/addons/rancher/kustomization.yaml
+++ b/infrastructure/addons/rancher/kustomization.yaml
@@ -4,6 +4,7 @@ resources:
   - namespace.yaml
   - helmrepository-rancher.yaml
   - helmrelease-rancher.yaml
+  - rancher-bootstrap-password-flux-externalsecret.yaml
   - rancher-bootstrap-password-externalsecret.yaml
   - rancher-db-password-externalsecret.yaml
   - rancher-tailscale-service.yaml
diff --git a/infrastructure/addons/rancher/rancher-bootstrap-password-flux-externalsecret.yaml b/infrastructure/addons/rancher/rancher-bootstrap-password-flux-externalsecret.yaml
new file mode 100644
index 0000000..d96f4c4
--- /dev/null
+++ b/infrastructure/addons/rancher/rancher-bootstrap-password-flux-externalsecret.yaml
@@ -0,0 +1,21 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: rancher-bootstrap-password
+  namespace: flux-system
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: doppler-hetznerterra
+    kind: ClusterSecretStore
+  target:
+    name: rancher-bootstrap-password
+    creationPolicy: Owner
+    template:
+      type: Opaque
+      data:
+        bootstrapPassword: "{{ .RANCHER_BOOTSTRAP_PASSWORD }}"
+  data:
+    - secretKey: RANCHER_BOOTSTRAP_PASSWORD
+      remoteRef:
+        key: RANCHER_BOOTSTRAP_PASSWORD