diff --git a/openstack/keystone/Chart.lock b/openstack/keystone/Chart.lock
index 66cf3476878..3c93cd138da 100644
--- a/openstack/keystone/Chart.lock
+++ b/openstack/keystone/Chart.lock
@@ -19,9 +19,9 @@ dependencies:
   version: 1.1.7
 - name: utils
   repository: oci://keppel.eu-de-1.cloud.sap/ccloud-helm
-  version: 0.15.0
+  version: 0.19.6
 - name: linkerd-support
   repository: oci://keppel.eu-de-1.cloud.sap/ccloud-helm
   version: 0.1.4
-digest: sha256:7f3e9665e9e649af94735fe7b6233667353fe5aca639dc86e295def90a56f4b7
-generated: "2024-09-30T20:42:46.060829+05:30"
+digest: sha256:6e608d38f5aed8d81e803f77462f441132614f6487e6ca037e7dc61a2b47ae60
+generated: "2024-11-27T16:00:14.156431+05:30"
diff --git a/openstack/keystone/Chart.yaml b/openstack/keystone/Chart.yaml
index 0f16cc660fa..3a04b1d7e5b 100644
--- a/openstack/keystone/Chart.yaml
+++ b/openstack/keystone/Chart.yaml
@@ -9,7 +9,7 @@ maintainers:
 name: keystone
 sources:
   - https://github.com/sapcc/keystone
-version: 0.7.3
+version: 0.7.4
 dependencies:
   - condition: mariadb.enabled
     name: mariadb
@@ -36,7 +36,7 @@ dependencies:
     version: 1.1.7
   - name: utils
     repository: oci://keppel.eu-de-1.cloud.sap/ccloud-helm
-    version: 0.15.0
+    version: 0.19.6
   - name: linkerd-support
     repository: oci://keppel.eu-de-1.cloud.sap/ccloud-helm
     version: 0.1.4
diff --git a/openstack/keystone/templates/bin/_bootstrap.tpl b/openstack/keystone/templates/bin/_bootstrap.tpl
index a62c6c82ca7..58aca1d362d 100644
--- a/openstack/keystone/templates/bin/_bootstrap.tpl
+++ b/openstack/keystone/templates/bin/_bootstrap.tpl
@@ -4,7 +4,7 @@ set -ex
 # seed just enough to have a functional v3 api
 keystone-manage --config-file=/etc/keystone/keystone.conf --config-file=/etc/keystone/keystone.conf.d/secrets.conf bootstrap \
     --bootstrap-username {{ .Values.api.adminUser }} \
-    --bootstrap-password {{ required "A valid .Values.api.adminPassword required!" .Values.api.adminPassword }} \
+    --bootstrap-password {{ required "A valid .Values.api.adminPassword required!" .Values.api.adminPassword | include "resolve_secret" }} \
     --bootstrap-project-name {{ .Values.api.adminProjectName }} \
 {{- if eq .Values.services.admin.scheme "https" }}
     --bootstrap-admin-url https://{{.Values.services.admin.host}}.{{.Values.global.region}}.{{.Values.global.tld}}/v3 \
diff --git a/openstack/keystone/templates/etc/_secrets.conf.tpl b/openstack/keystone/templates/etc/_secrets.conf.tpl
index 88e88321c0d..779a9c9990c 100644
--- a/openstack/keystone/templates/etc/_secrets.conf.tpl
+++ b/openstack/keystone/templates/etc/_secrets.conf.tpl
@@ -4,14 +4,14 @@
 {{ if .Values.percona_cluster.enabled -}}
   {{/* in caase percona is active and we need to switch the connection string to mariadb-galera cluster without removing the percona cluster objects */}}
   {{- if and .Values.mariadb_galera.enabled .Values.databaseKind (eq .Values.databaseKind "galera") -}}
-connection = mysql+pymysql://{{ .Values.mariadb_galera.mariadb.users.keystone.username }}:{{.Values.mariadb_galera.mariadb.users.keystone.password }}@{{include "db_host" .}}/{{ .Values.mariadb_galera.mariadb.database_name_to_connect }}?charset=utf8
+connection = mysql+pymysql://{{ .Values.mariadb_galera.mariadb.users.keystone.username }}:{{.Values.mariadb_galera.mariadb.users.keystone.password | include "resolve_secret_urlquery" }}@{{include "db_host" .}}/{{ .Values.mariadb_galera.mariadb.database_name_to_connect }}?charset=utf8
   {{- else }}
 connection = {{ include "db_url_pxc" . }}
   {{- end }}
 {{- else if .Values.global.clusterDomain -}}
-connection = mysql+pymysql://{{ default .Release.Name .Values.global.dbUser }}:{{.Values.global.dbPassword }}@{{include "db_host" .}}/{{ default .Release.Name .Values.mariadb.name }}?charset=utf8
+connection = mysql+pymysql://{{ default .Release.Name .Values.global.dbUser }}:{{.Values.global.dbPassword | include "resolve_secret_urlquery" }}@{{include "db_host" .}}/{{ default .Release.Name .Values.mariadb.name }}?charset=utf8
 {{- else if and .Values.mariadb_galera.enabled .Values.databaseKind (eq .Values.databaseKind "galera") -}}
-connection = mysql+pymysql://{{ .Values.mariadb_galera.mariadb.users.keystone.username }}:{{.Values.mariadb_galera.mariadb.users.keystone.password }}@{{include "db_host" .}}/{{ .Values.mariadb_galera.mariadb.database_name_to_connect }}?charset=utf8
+connection = mysql+pymysql://{{ .Values.mariadb_galera.mariadb.users.keystone.username }}:{{.Values.mariadb_galera.mariadb.users.keystone.password | include "resolve_secret_urlquery" }}@{{include "db_host" .}}/{{ .Values.mariadb_galera.mariadb.database_name_to_connect }}?charset=utf8
 {{- else }}
 connection = {{ include "db_url_mysql" . }}
 {{- end }}
@@ -20,14 +20,14 @@ connection = {{ include "db_url_mysql" . }}
 [cache]
 memcache_sasl_enabled = True
 memcache_username = {{ .Values.memcached.auth.username }}
-memcache_password = {{ .Values.memcached.auth.password }}
+memcache_password = {{ .Values.memcached.auth.password | include "resolve_secret" }}
 {{- end }}
 
 {{- if not (and (hasKey $.Values "oslo_messaging_notifications") ($.Values.oslo_messaging_notifications.disabled)) }}
 [oslo_messaging_notifications]
 driver = messaging
   {{- if and (.Values.audit.central_service.user) (.Values.audit.central_service.password) }}
-transport_url = rabbit://{{ .Values.audit.central_service.user }}:{{ .Values.audit.central_service.password }}@{{ .Values.audit.central_service.host }}:{{ .Values.audit.central_service.port }}/
+transport_url = rabbit://{{ .Values.audit.central_service.user | include "resolve_secret_urlquery" }}:{{ .Values.audit.central_service.password | include "resolve_secret_urlquery" }}@{{ .Values.audit.central_service.host }}:{{ .Values.audit.central_service.port }}/
 
 [oslo_messaging_rabbit]
 rabbit_retry_interval = {{ .Values.audit.central_service.rabbit_retry_interval | default 1 }}
@@ -41,9 +41,9 @@ heartbeat_timeout_threshold = {{ .Values.audit.central_service.heartbeat_timeout
       when rabbit_interval_max >= rabbit_retry_interval
 */}}
   {{- else if .Values.rabbitmq.host }}
-transport_url = rabbit://{{ .Values.rabbitmq.users.default.user | default "rabbitmq" }}:{{ .Values.rabbitmq.users.default.password }}@{{ .Values.rabbitmq.host }}:{{ .Values.rabbitmq.port | default 5672 }}
+transport_url = rabbit://{{ .Values.rabbitmq.users.default.user | default "rabbitmq" }}:{{ .Values.rabbitmq.users.default.password | include "resolve_secret_urlquery" }}@{{ .Values.rabbitmq.host }}:{{ .Values.rabbitmq.port | default 5672 }}
   {{ else }}
-transport_url = rabbit://{{ .Values.rabbitmq.users.default.user | default "rabbitmq" }}:{{ .Values.rabbitmq.users.default.password }}@{{ include "rabbitmq_host" . }}:{{ .Values.rabbitmq.port | default 5672 }}
+transport_url = rabbit://{{ .Values.rabbitmq.users.default.user | default "rabbitmq" }}:{{ .Values.rabbitmq.users.default.password | include "resolve_secret_urlquery" }}@{{ include "rabbitmq_host" . }}:{{ .Values.rabbitmq.port | default 5672 }}
   {{- end }}
 {{- end }}