diff --git a/manifests/configmap.yaml b/manifests/configmap.yaml
index 25205b180..6fdee23b1 100644
--- a/manifests/configmap.yaml
+++ b/manifests/configmap.yaml
@@ -12,6 +12,7 @@ data:
   dns_name_format: '{cluster}.{team}.staging.{hostedzone}'
   docker_image: registry.opensource.zalan.do/acid/spiloprivate-9.6:1.2-p4
   etcd_host: etcd-client.default.svc.cluster.local:2379
+  secret_name_template: '{username}.{clustername}.credentials.{tprkind}.{tprgroup}'
   infrastructure_roles_secret_name: postgresql-infrastructure-roles
   oauth_token_secret_name: postgresql-operator
   pam_configuration: |
diff --git a/pkg/cluster/util.go b/pkg/cluster/util.go
index 2a1442886..1e79c1ae5 100644
--- a/pkg/cluster/util.go
+++ b/pkg/cluster/util.go
@@ -331,9 +331,12 @@ func (c *Cluster) credentialSecretName(username string) string {
 func (c *Cluster) credentialSecretNameForCluster(username string, clusterName string) string {
 	// secret  must consist of lower case alphanumeric characters, '-' or '.',
 	// and must start and end with an alphanumeric character
-	return fmt.Sprintf(constants.UserSecretTemplate,
-		strings.Replace(username, "_", "-", -1),
-		clusterName)
+
+	return c.OpConfig.SecretNameTemplate.Format(
+		"username", strings.Replace(username, "_", "-", -1),
+		"clustername", clusterName,
+		"tprkind", constants.TPRKind,
+		"tprgroup", constants.TPRGroup)
 }
 
 func (c *Cluster) podSpiloRole(pod *v1.Pod) string {
diff --git a/pkg/util/config/config.go b/pkg/util/config/config.go
index 3a9a52f55..b370edcf6 100644
--- a/pkg/util/config/config.go
+++ b/pkg/util/config/config.go
@@ -32,6 +32,7 @@ type Resources struct {
 
 // Auth describes authentication specific configuration parameters
 type Auth struct {
+	SecretNameTemplate            stringTemplate      `name:"secret_name_template" default:"{username}.{clustername}.credentials.{tprkind}.{tprgroup}"`
 	PamRoleName                   string              `name:"pam_role_name" default:"zalandos"`
 	PamConfiguration              string              `name:"pam_configuration" default:"https://info.example.com/oauth2/tokeninfo?access_token= uid realm=/employees"`
 	TeamsAPIUrl                   string              `name:"teams_api_url" default:"https://teams.example.com/api/"`
diff --git a/pkg/util/constants/roles.go b/pkg/util/constants/roles.go
index 5f81cb3d8..2c20d69db 100644
--- a/pkg/util/constants/roles.go
+++ b/pkg/util/constants/roles.go
@@ -3,7 +3,6 @@ package constants
 // Roles specific constants
 const (
 	PasswordLength         = 64
-	UserSecretTemplate     = "%s.%s.credentials." + TPRKind + "." + TPRGroup // Username, ClusterName
 	SuperuserKeyName       = "superuser"
 	ReplicationUserKeyName = "replication"
 	RoleFlagSuperuser      = "SUPERUSER"