diff --git a/pkg/cluster/cluster.go b/pkg/cluster/cluster.go
index a88cde53e..19712cccd 100644
--- a/pkg/cluster/cluster.go
+++ b/pkg/cluster/cluster.go
@@ -124,7 +124,7 @@ func New(cfg Config, kubeClient k8sutil.KubernetesClient, pgSpec acidv1.Postgres
 
 		return fmt.Sprintf("%s-%s", e.PodName, e.ResourceVersion), nil
 	})
-	password_encryption, ok :=  pgSpec.Spec.PostgresqlParam.Parameters["password_encryption"]
+	password_encryption, ok := pgSpec.Spec.PostgresqlParam.Parameters["password_encryption"]
 	if !ok {
 		password_encryption = "md5"
 	}
diff --git a/pkg/cluster/resources.go b/pkg/cluster/resources.go
index c75457a5a..769c2169b 100644
--- a/pkg/cluster/resources.go
+++ b/pkg/cluster/resources.go
@@ -13,7 +13,9 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 
+	"github.com/zalando/postgres-operator/pkg/spec"
 	"github.com/zalando/postgres-operator/pkg/util"
+	"github.com/zalando/postgres-operator/pkg/util/constants"
 	"github.com/zalando/postgres-operator/pkg/util/k8sutil"
 	"github.com/zalando/postgres-operator/pkg/util/retryutil"
 )
@@ -207,8 +209,6 @@ func (c *Cluster) deleteConnectionPooler() (err error) {
 		serviceName = service.Name
 	}
 
-	// set delete propagation policy to foreground, so that all the dependant
-	// will be deleted.
 	err = c.KubeClient.
 		Services(c.Namespace).
 		Delete(context.TODO(), serviceName, options)
@@ -221,6 +221,29 @@ func (c *Cluster) deleteConnectionPooler() (err error) {
 
 	c.logger.Infof("Connection pooler service %q has been deleted", serviceName)
 
+	// Repeat the same for the secret object
+	connectionPoolerUser := spec.PgUser{
+		Origin:   spec.RoleConnectionPooler,
+		Name:     c.OpConfig.ConnectionPooler.User,
+		Flags:    []string{constants.RoleFlagLogin},
+		Password: util.RandomPassword(constants.PasswordLength),
+	}
+
+	secretTemplate := c.generateSingleUserSecret(c.Namespace, connectionPoolerUser)
+	secret, err := c.KubeClient.
+		Secrets(c.Namespace).
+		Get(context.TODO(), secretTemplate.Name, metav1.GetOptions{})
+
+	if err != nil {
+		c.logger.Debugf("could not get connection pooler secret %q: %v", secretTemplate.Name, err)
+	} else {
+		uid := secret.UID
+		if err = c.deleteSecret(uid, *secret); err != nil {
+			return fmt.Errorf("could not delete pooler secret: %v", err)
+		}
+		c.Secrets[uid] = nil
+	}
+
 	c.ConnectionPooler = nil
 	return nil
 }
@@ -730,14 +753,11 @@ func (c *Cluster) deleteSecrets() error {
 	var errors []string
 	errorCount := 0
 	for uid, secret := range c.Secrets {
-		c.logger.Debugf("deleting secret %q", util.NameFromMeta(secret.ObjectMeta))
-		err := c.KubeClient.Secrets(secret.Namespace).Delete(context.TODO(), secret.Name, c.deleteOptions)
+		err := c.deleteSecret(uid, *secret)
 		if err != nil {
-			errors = append(errors, fmt.Sprintf("could not delete secret %q: %v", util.NameFromMeta(secret.ObjectMeta), err))
+			errors = append(errors, fmt.Sprintf("%v", err))
 			errorCount++
 		}
-		c.logger.Infof("secret %q has been deleted", util.NameFromMeta(secret.ObjectMeta))
-		c.Secrets[uid] = nil
 	}
 
 	if errorCount > 0 {
@@ -747,6 +767,21 @@ func (c *Cluster) deleteSecrets() error {
 	return nil
 }
 
+func (c *Cluster) deleteSecret(uid types.UID, secret v1.Secret) error {
+	c.setProcessName("deleting secret")
+	c.logger.Debugf("deleting secret %q", util.NameFromMeta(secret.ObjectMeta))
+	err := c.KubeClient.Secrets(secret.Namespace).Delete(context.TODO(), secret.Name, c.deleteOptions)
+	if k8sutil.ResourceNotFound(err) {
+		c.logger.Debugf("Connection pooler secret was already deleted")
+	} else if err != nil {
+		return fmt.Errorf("could not delete secret %q: %v", util.NameFromMeta(secret.ObjectMeta), err)
+	}
+	c.logger.Infof("secret %q has been deleted", util.NameFromMeta(secret.ObjectMeta))
+	c.Secrets[uid] = nil
+
+	return nil
+}
+
 func (c *Cluster) createRoles() (err error) {
 	// TODO: figure out what to do with duplicate names (humans and robots) among pgUsers
 	return c.syncRoles()
diff --git a/pkg/cluster/sync.go b/pkg/cluster/sync.go
index b03b5d494..056e43043 100644
--- a/pkg/cluster/sync.go
+++ b/pkg/cluster/sync.go
@@ -500,6 +500,7 @@ func (c *Cluster) syncSecrets() error {
 				c.logger.Warningf("secret %q does not contain the role %q", secretSpec.Name, secretUsername)
 				continue
 			}
+			c.Secrets[secret.UID] = secret
 			c.logger.Debugf("secret %q already exists, fetching its password", util.NameFromMeta(secret.ObjectMeta))
 			if secretUsername == c.systemUsers[constants.SuperuserKeyName].Name {
 				secretUsername = constants.SuperuserKeyName