diff --git a/manifests/fake-teams-api.yaml b/manifests/fake-teams-api.yaml
index 15f7c7576..5214c58ba 100644
--- a/manifests/fake-teams-api.yaml
+++ b/manifests/fake-teams-api.yaml
@@ -4,6 +4,9 @@ metadata:
   name: fake-teams-api
 spec:
   replicas: 1
+  selector:
+    matchLabels:
+      name: fake-teams-api
   template:
     metadata:
       labels:
diff --git a/pkg/cluster/sync.go b/pkg/cluster/sync.go
index bb68eec1c..b68a36486 100644
--- a/pkg/cluster/sync.go
+++ b/pkg/cluster/sync.go
@@ -723,14 +723,14 @@ func (c *Cluster) updateSecret(
 	// use system user when pooler is enabled and pooler user is specfied in manifest
 	if _, exists := c.systemUsers[constants.ConnectionPoolerUserKeyName]; exists {
 		if secretUsername == c.systemUsers[constants.ConnectionPoolerUserKeyName].Name {
-			userKey = constants.ConnectionPoolerUserName
+			userKey = constants.ConnectionPoolerUserKeyName
 			userMap = c.systemUsers
 		}
 	}
 	// use system user when streams are defined and fes_user is specfied in manifest
 	if _, exists := c.systemUsers[constants.EventStreamUserKeyName]; exists {
 		if secretUsername == c.systemUsers[constants.EventStreamUserKeyName].Name {
-			userKey = fmt.Sprintf("%s%s", constants.EventStreamSourceSlotPrefix, constants.UserRoleNameSuffix)
+			userKey = constants.EventStreamUserKeyName
 			userMap = c.systemUsers
 		}
 	}
diff --git a/pkg/cluster/sync_test.go b/pkg/cluster/sync_test.go
index ea73fb97c..ff7a03103 100644
--- a/pkg/cluster/sync_test.go
+++ b/pkg/cluster/sync_test.go
@@ -286,6 +286,17 @@ func TestUpdateSecret(t *testing.T) {
 			Databases:                      map[string]string{dbname: dbowner},
 			Users:                          map[string]acidv1.UserFlags{"foo": {}, dbowner: {}},
 			UsersWithInPlaceSecretRotation: []string{dbowner},
+			Streams: []acidv1.Stream{
+				{
+					ApplicationId: appId,
+					Database:      dbname,
+					Tables: map[string]acidv1.StreamTable{
+						"data.foo": acidv1.StreamTable{
+							EventType: "stream-type-b",
+						},
+					},
+				},
+			},
 			Volume: acidv1.Volume{
 				Size: "1Gi",
 			},
@@ -297,6 +308,8 @@ func TestUpdateSecret(t *testing.T) {
 		Config{
 			OpConfig: config.Config{
 				Auth: config.Auth{
+					SuperUsername:                 "postgres",
+					ReplicationUsername:           "standby",
 					SecretNameTemplate:            secretTemplate,
 					EnablePasswordRotation:        true,
 					PasswordRotationInterval:      1,
@@ -312,8 +325,9 @@ func TestUpdateSecret(t *testing.T) {
 	cluster.Name = clusterName
 	cluster.Namespace = namespace
 	cluster.pgUsers = map[string]spec.PgUser{}
-	cluster.initRobotUsers()
 
+	// init all users
+	cluster.initUsers()
 	// create secrets
 	cluster.syncSecrets()
 	// initialize rotation with current time
@@ -321,22 +335,33 @@ func TestUpdateSecret(t *testing.T) {
 
 	dayAfterTomorrow := time.Now().AddDate(0, 0, 2)
 
-	for username := range cluster.Spec.Users {
-		pgUser := cluster.pgUsers[username]
+	allUsers := make(map[string]spec.PgUser)
+	for userName, pgUser := range cluster.pgUsers {
+		allUsers[userName] = pgUser
+	}
+	for _, systemUser := range cluster.systemUsers {
+		allUsers[systemUser.Name] = systemUser
+	}
 
+	for username, pgUser := range allUsers {
 		// first, get the secret
-		secret, err := cluster.KubeClient.Secrets(namespace).Get(context.TODO(), secretTemplate.Format("username", username, "cluster", clusterName), metav1.GetOptions{})
+		secretName := cluster.credentialSecretName(username)
+		secret, err := cluster.KubeClient.Secrets(namespace).Get(context.TODO(), secretName, metav1.GetOptions{})
 		assert.NoError(t, err)
 		secretPassword := string(secret.Data["password"])
 
 		// now update the secret setting a next rotation date (tomorrow + interval)
 		cluster.updateSecret(username, secret, &rotationUsers, &retentionUsers, dayAfterTomorrow)
-		updatedSecret, err := cluster.KubeClient.Secrets(namespace).Get(context.TODO(), secretTemplate.Format("username", username, "cluster", clusterName), metav1.GetOptions{})
+		updatedSecret, err := cluster.KubeClient.Secrets(namespace).Get(context.TODO(), secretName, metav1.GetOptions{})
 		assert.NoError(t, err)
 
 		// check that passwords are different
 		rotatedPassword := string(updatedSecret.Data["password"])
 		if secretPassword == rotatedPassword {
+			// passwords for system users should not have been rotated
+			if pgUser.Origin != spec.RoleOriginManifest {
+				continue
+			}
 			t.Errorf("%s: password unchanged in updated secret for %s", testName, username)
 		}