diff --git a/pkg/controller/jenkins/configuration/base/resources/rbac.go b/pkg/controller/jenkins/configuration/base/resources/rbac.go
index 0944ab30..729db48c 100644
--- a/pkg/controller/jenkins/configuration/base/resources/rbac.go
+++ b/pkg/controller/jenkins/configuration/base/resources/rbac.go
@@ -44,7 +44,11 @@ func NewRole(meta metav1.ObjectMeta) *v1.Role {
 				Resources: []string{"pods/log"},
 				Verbs:     []string{getVerb, listVerb, watchVerb},
 			},
-			//TODO get secrets ???
+			{
+				APIGroups: []string{""},
+				Resources: []string{"secrets"},
+				Verbs:     []string{getVerb, listVerb, watchVerb},
+			},
 		},
 	}
 }
diff --git a/pkg/controller/jenkins/plugins/base_plugins.go b/pkg/controller/jenkins/plugins/base_plugins.go
index c75c3d70..86a1ac6b 100644
--- a/pkg/controller/jenkins/plugins/base_plugins.go
+++ b/pkg/controller/jenkins/plugins/base_plugins.go
@@ -121,6 +121,11 @@ var BasePluginsMap = map[string][]Plugin{
 	Must(New("configuration-as-code:1.7")).String(): {
 		Must(New("configuration-as-code-support:1.7")),
 	},
+	Must(New("kubernetes-credentials-provider:0.12.1")).String(): {
+		Must(New(credentialsPlugin)),
+		Must(New(structsPlugin)),
+		Must(New(variantPlugin)),
+	},
 }
 
 // BasePlugins returns map of plugins to install by operator
diff --git a/test/e2e/configuration_test.go b/test/e2e/configuration_test.go
index 541e9ea9..d71f693f 100644
--- a/test/e2e/configuration_test.go
+++ b/test/e2e/configuration_test.go
@@ -33,12 +33,14 @@ func TestConfiguration(t *testing.T) {
 	numberOfExecutors := 6
 	systemMessage := "Configuration as Code integration works!!!"
 	systemMessageEnvName := "SYSTEM_MESSAGE"
+	jenkinsCredentialName := "kubernetes-credentials-provider-plugin"
 
 	// base
 	createUserConfigurationSecret(t, jenkinsCRName, namespace, systemMessageEnvName, systemMessage)
 	createUserConfigurationConfigMap(t, jenkinsCRName, namespace, numberOfExecutors, fmt.Sprintf("${%s}", systemMessageEnvName))
 	jenkins := createJenkinsCR(t, jenkinsCRName, namespace)
 	createDefaultLimitsForContainersInNamespace(t, namespace)
+	createKubernetesCredentialsProviderSecret(t, namespace, jenkinsCredentialName)
 	waitForJenkinsBaseConfigurationToComplete(t, jenkins)
 
 	verifyJenkinsMasterPodAttributes(t, jenkins)
@@ -49,6 +51,7 @@ func TestConfiguration(t *testing.T) {
 	waitForJenkinsUserConfigurationToComplete(t, jenkins)
 	verifyJenkinsSeedJobs(t, client, jenkins)
 	verifyUserConfiguration(t, client, numberOfExecutors, systemMessage)
+	verifyIfJenkinsCredentialExists(t, client, jenkinsCredentialName)
 }
 
 func createUserConfigurationSecret(t *testing.T, jenkinsCRName string, namespace string, systemMessageEnvName, systemMessage string) {
@@ -68,6 +71,30 @@ func createUserConfigurationSecret(t *testing.T, jenkinsCRName string, namespace
 	}
 }
 
+func createKubernetesCredentialsProviderSecret(t *testing.T, namespace, name string) {
+	secret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: namespace,
+			Annotations: map[string]string{
+				"jenkins.io/credentials-description": "credentials from Kubernetes",
+			},
+			Labels: map[string]string{
+				"jenkins.io/credentials-type": "usernamePassword",
+			},
+		},
+		StringData: map[string]string{
+			"username": "user",
+			"password": "pass",
+		},
+	}
+
+	t.Logf("Secret for Kubernetes credentials provider plugin %+v", *secret)
+	if err := framework.Global.Client.Create(context.TODO(), secret, nil); err != nil {
+		t.Fatal(err)
+	}
+}
+
 func createUserConfigurationConfigMap(t *testing.T, jenkinsCRName string, namespace string, numberOfExecutors int, systemMessage string) {
 	userConfiguration := &corev1.ConfigMap{
 		ObjectMeta: metav1.ObjectMeta{
@@ -248,3 +275,32 @@ if (!"%s".equals(Jenkins.instance.systemMessage)) {
 	logs, err = jenkinsClient.ExecuteScript(checkConfigurationAsCode)
 	assert.NoError(t, err, logs)
 }
+
+func verifyIfJenkinsCredentialExists(t *testing.T, jenkinsClient jenkinsclient.Jenkins, credentialName string) {
+	groovyScriptFmt := `import com.cloudbees.plugins.credentials.Credentials
+
+Set<Credentials> allCredentials = new HashSet<Credentials>();
+
+def creds = com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(
+	com.cloudbees.plugins.credentials.Credentials.class
+);
+
+allCredentials.addAll(creds)
+
+Jenkins.instance.getAllItems(com.cloudbees.hudson.plugins.folder.Folder.class).each{ f ->
+	creds = com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(
+      	com.cloudbees.plugins.credentials.Credentials.class, f)
+	allCredentials.addAll(creds)
+}
+
+def found = false
+for (c in allCredentials) {
+	if("%s".equals(c.id)) found = true
+}
+if(!found) {
+	throw new Exception("Expected credential not found")
+}`
+	groovyScript := fmt.Sprintf(groovyScriptFmt, credentialName)
+	logs, err := jenkinsClient.ExecuteScript(groovyScript)
+	assert.NoError(t, err, logs)
+}