diff --git a/hack/ci-e2e.sh b/hack/ci-e2e.sh
index 5c33401af9..b1cbe8d5aa 100755
--- a/hack/ci-e2e.sh
+++ b/hack/ci-e2e.sh
@@ -180,9 +180,10 @@ for overlay in "${IRONIC_OVERLAYS[@]}"; do
     "${overlay}/ironic-htpasswd"
   envsubst < "${REPO_ROOT}/ironic-deployment/components/basic-auth/ironic-auth-config-tpl" > \
   "${overlay}/ironic-auth-config"
+
   if [[ "${overlay}" =~ -with-inspector ]]; then
     IRONIC_INSPECTOR_AUTH_CONFIG_TPL="/tmp/ironic-inspector-auth-config-tpl"
-    curl -o "${IRONIC_INSPECTOR_AUTH_CONFIG_TPL}" https://raw.githubusercontent.com/metal3-io/baremetal-operator/release-0.5/ironic-deployment/components/basic-auth/ironic-inspector-auth-config-tpl 
+    curl -o "${IRONIC_INSPECTOR_AUTH_CONFIG_TPL}" https://raw.githubusercontent.com/metal3-io/baremetal-operator/release-0.5/ironic-deployment/components/basic-auth/ironic-inspector-auth-config-tpl
     envsubst < "${IRONIC_INSPECTOR_AUTH_CONFIG_TPL}" > \
       "${overlay}/ironic-inspector-auth-config"
     echo "INSPECTOR_HTPASSWD=$(htpasswd -n -b -B "${IRONIC_INSPECTOR_USERNAME}" \
diff --git a/ironic-deployment/components/basic-auth/auth.yaml b/ironic-deployment/components/basic-auth/auth.yaml
index b15875de24..9bbf95ec07 100644
--- a/ironic-deployment/components/basic-auth/auth.yaml
+++ b/ironic-deployment/components/basic-auth/auth.yaml
@@ -8,8 +8,13 @@ spec:
       containers:
       - name: ironic
         envFrom:
-        # This is the htpassword matching the ironic password
-        - secretRef:
-            name: ironic-htpasswd
         - configMapRef:
             name: ironic-bmo-configmap
+        volumeMounts:
+        - name: ironic-htpasswd
+          mountPath: "/auth/ironic"
+          readOnly: true
+      volumes:
+      - name: ironic-htpasswd
+        secret:
+          secretName: ironic-htpasswd
diff --git a/ironic-deployment/overlays/basic-auth_tls/basic-auth_tls.yaml b/ironic-deployment/overlays/basic-auth_tls/basic-auth_tls.yaml
index a05c021fa2..bb20f38996 100644
--- a/ironic-deployment/overlays/basic-auth_tls/basic-auth_tls.yaml
+++ b/ironic-deployment/overlays/basic-auth_tls/basic-auth_tls.yaml
@@ -8,7 +8,13 @@ spec:
       containers:
       - name: ironic-httpd
         envFrom:
-        - secretRef:
-            name: ironic-htpasswd
         - configMapRef:
             name: ironic-bmo-configmap
+        volumeMounts:
+        - name: ironic-htpasswd
+          mountPath: "/auth/ironic"
+          readOnly: true
+      volumes:
+      - name: ironic-htpasswd
+        secret:
+          secretName: ironic-htpasswd
diff --git a/ironic-deployment/overlays/basic-auth_tls/kustomization.yaml b/ironic-deployment/overlays/basic-auth_tls/kustomization.yaml
index 76870e50f7..cfa63ef118 100644
--- a/ironic-deployment/overlays/basic-auth_tls/kustomization.yaml
+++ b/ironic-deployment/overlays/basic-auth_tls/kustomization.yaml
@@ -24,6 +24,7 @@ patches:
 # Example for how to generate the necessary secrets:
 # secretGenerator:
 # - behavior: create
-#   envs:
-#   - ironic-htpasswd
+#   files:
+#   - htpasswd=ironic-htpasswd
 #   name: ironic-htpasswd
+#   type: Opaque
diff --git a/ironic-deployment/overlays/e2e-release-24.0-with-inspector/kustomization.yaml b/ironic-deployment/overlays/e2e-release-24.0-with-inspector/kustomization.yaml
index 1d6ccb25b8..84df757139 100644
--- a/ironic-deployment/overlays/e2e-release-24.0-with-inspector/kustomization.yaml
+++ b/ironic-deployment/overlays/e2e-release-24.0-with-inspector/kustomization.yaml
@@ -26,12 +26,12 @@ images:
 secretGenerator:
 - name: ironic-htpasswd
   behavior: create
-  envs:
-  - ironic-htpasswd
+  files:
+  - htpasswd=ironic-htpasswd
 - name: ironic-inspector-htpasswd
   behavior: create
-  envs:
-  - ironic-inspector-htpasswd
+  files:
+  - htpasswd=ironic-inspector-htpasswd
 - name: ironic-auth-config
   files:
   - auth-config=ironic-auth-config
diff --git a/ironic-deployment/overlays/e2e/kustomization.yaml b/ironic-deployment/overlays/e2e/kustomization.yaml
index 5457ba1e22..4a1b0fdcb3 100644
--- a/ironic-deployment/overlays/e2e/kustomization.yaml
+++ b/ironic-deployment/overlays/e2e/kustomization.yaml
@@ -22,8 +22,9 @@ patches:
 secretGenerator:
 - name: ironic-htpasswd
   behavior: create
-  envs:
-  - ironic-htpasswd
+  files:
+  - htpasswd=ironic-htpasswd
+  type: Opaque
 
 replacements:
   # Replace IRONIC_HOST_IP in certificates with the PROVISIONING_IP from the configmap
diff --git a/tools/deploy.sh b/tools/deploy.sh
index 9306ac7f43..3cb749a0b6 100755
--- a/tools/deploy.sh
+++ b/tools/deploy.sh
@@ -164,7 +164,7 @@ if [[ "${DEPLOY_IRONIC}" == "true" ]]; then
     --namespace=baremetal-operator-system --nameprefix=baremetal-operator-
 
     if [ "${DEPLOY_BASIC_AUTH}" == "true" ]; then
-        ${KUSTOMIZE} edit add secret ironic-htpasswd --from-env-file=ironic-htpasswd
+        ${KUSTOMIZE} edit add secret ironic-htpasswd --from-file=htpasswd=ironic-htpasswd
 
         if [[ "${DEPLOY_TLS}" == "true" ]]; then
             # Basic-auth + TLS is special since TLS also means reverse proxy, which affects basic-auth.
diff --git a/tools/run_local_ironic.sh b/tools/run_local_ironic.sh
index b623fbda90..e6f754ff51 100755
--- a/tools/run_local_ironic.sh
+++ b/tools/run_local_ironic.sh
@@ -169,11 +169,14 @@ if [[ -r "${IPXE_KEY_FILE}" ]]; then
 fi
 
 BASIC_AUTH_MOUNTS=""
-IRONIC_HTPASSWD=""
+IRONIC_HTPASSWD_FILE="${IRONIC_DATA_DIR}/auth/ironic-htpasswd"
+IRONIC_HTPASSWD_MOUNT=""
+set +x
 if [ -n "$IRONIC_USERNAME" ]; then
-     IRONIC_HTPASSWD="$(htpasswd -n -b -B "${IRONIC_USERNAME}" "${IRONIC_PASSWORD}")"
-     IRONIC_HTPASSWD="--env HTTP_BASIC_HTPASSWD=${IRONIC_HTPASSWD} --env IRONIC_HTPASSWD=${IRONIC_HTPASSWD}"
+     "$(htpasswd -n -b -B "${IRONIC_USERNAME}" "${IRONIC_PASSWORD}")" > "${IRONIC_HTPASSWD_FILE}"
+     IRONIC_HTPASSWD_MOUNT="-v ${IRONIC_HTPASSWD_FILE}:/auth/ironic/htpasswd"
 fi
+set -x
 
 sudo mkdir -p "$IRONIC_DATA_DIR/html/images"
 # Locally supplied IPA images are imported here when the environment variables are set accordingly.
@@ -192,6 +195,7 @@ fi
 
 "$SCRIPTDIR/tools/remove_local_ironic.sh"
 
+set +x
 if [ "$IRONIC_USE_MARIADB" = "true" ]; then
     # set password for mariadb
     mariadb_password=$(echo "$(date;hostname)"|sha256sum |cut -c-20)
@@ -199,6 +203,7 @@ if [ "$IRONIC_USE_MARIADB" = "true" ]; then
 else
     IRONIC_MARIADB_PASSWORD=
 fi
+set -x
 
 POD=""
 
@@ -235,9 +240,9 @@ sudo "${CONTAINER_RUNTIME}" run -d --net host --privileged --name dnsmasq \
 # https://github.com/metal3-io/ironic-image/blob/main/scripts/runhttpd
 # shellcheck disable=SC2086
 sudo "${CONTAINER_RUNTIME}" run -d --net host --privileged --name httpd \
-     ${POD} ${CERTS_MOUNTS} ${BASIC_AUTH_MOUNTS} ${IRONIC_HTPASSWD} \
+     ${POD} ${CERTS_MOUNTS} ${BASIC_AUTH_MOUNTS} ${IRONIC_HTPASSWD_MOUNT} \
      --env-file "${IRONIC_DATA_DIR}/ironic-vars.env" \
-     -v "$IRONIC_DATA_DIR:/shared" --entrypoint /bin/runhttpd "${IRONIC_IMAGE}"
+     -v "${IRONIC_DATA_DIR}:/shared" --entrypoint /bin/runhttpd "${IRONIC_IMAGE}"
 
 if [ "$IRONIC_USE_MARIADB" = "true" ]; then
     # https://github.com/metal3-io/mariadb-image/blob/main/runmariadb
@@ -252,7 +257,7 @@ fi
 # https://github.com/metal3-io/ironic-image/blob/main/scripts/runironic
 # shellcheck disable=SC2086
 sudo "${CONTAINER_RUNTIME}" run -d --net host --privileged --name ironic \
-     ${POD} ${CERTS_MOUNTS} ${BASIC_AUTH_MOUNTS} ${IRONIC_HTPASSWD} \
+     ${POD} ${CERTS_MOUNTS} ${BASIC_AUTH_MOUNTS} ${IRONIC_HTPASSWD_MOUNT} \
      --env-file "${IRONIC_DATA_DIR}/ironic-vars.env" \
      ${IRONIC_MARIADB_PASSWORD} --entrypoint /bin/runironic \
      -v "$IRONIC_DATA_DIR:/shared" "${IRONIC_IMAGE}"