diff --git a/charts/qubership-logging-operator/templates/_helpers.tpl b/charts/qubership-logging-operator/templates/_helpers.tpl
index 9962a2ec..47cf33d9 100644
--- a/charts/qubership-logging-operator/templates/_helpers.tpl
+++ b/charts/qubership-logging-operator/templates/_helpers.tpl
@@ -43,9 +43,9 @@ Add Authorization header if Bearer Token authorization enabled for http output i
   {{- $headers := dict "VL-Msg-Field" "log" "VL-Time-Field" "time" "VL-Stream-Fields" "stream" }}
 {{- end }}
 {{- if and $http.auth $http.auth.token $http.auth.token.name $http.auth.token.key }}
-  {{- $_ := set $headers "Authorization" "Bearer #{ENV['HTTP_TOKEN']}" }}
+  {{- $_ := set $headers "Authorization" "Bearer #{File.read('/fluentd/output/http/auth/token').strip}" }}
 {{- else if and $http.auth $http.auth.credentials $http.auth.credentials.token }}
-  {{- $_ := set $headers "Authorization" "Bearer #{ENV['HTTP_TOKEN']}" }}
+  {{- $_ := set $headers "Authorization" "Bearer #{File.read('/fluentd/output/http/auth/token').strip}" }}
 {{- end }}
 {{- toYaml $headers }}
 {{- end -}}
diff --git a/controllers/fluentd/assets/daemon-set.yaml b/controllers/fluentd/assets/daemon-set.yaml
index 8ef9c240..138394bf 100644
--- a/controllers/fluentd/assets/daemon-set.yaml
+++ b/controllers/fluentd/assets/daemon-set.yaml
@@ -136,40 +136,6 @@ spec:
               value: '16777216'
             - name: RUBY_GC_OLDMALLOC_LIMIT_MAX
               value: '16777216'
-{{- if and .Values.Fluentd.Output .Values.Fluentd.Output.Loki .Values.Fluentd.Output.Loki.Enabled }}
-{{- if and .Values.Fluentd.Output.Loki.Auth .Values.Fluentd.Output.Loki.Auth.User .Values.Fluentd.Output.Loki.Auth.User.Name .Values.Fluentd.Output.Loki.Auth.User.Key .Values.Fluentd.Output.Loki.Auth.Password .Values.Fluentd.Output.Loki.Auth.Password.Name .Values.Fluentd.Output.Loki.Auth.Password.Key }}
-            - name: LOKI_USERNAME
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Values.Fluentd.Output.Loki.Auth.User.Name }}
-                  key: {{ .Values.Fluentd.Output.Loki.Auth.User.Key }}
-            - name: LOKI_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Values.Fluentd.Output.Loki.Auth.Password.Name }}
-                  key: {{ .Values.Fluentd.Output.Loki.Auth.Password.Key }}
-{{- end }}
-{{- end }}
-{{- if and .Values.Fluentd.Output .Values.Fluentd.Output.Http .Values.Fluentd.Output.Http.Enabled }}
-{{- if and .Values.Fluentd.Output.Http.Auth .Values.Fluentd.Output.Http.Auth.User .Values.Fluentd.Output.Http.Auth.User.Name .Values.Fluentd.Output.Http.Auth.User.Key .Values.Fluentd.Output.Http.Auth.Password .Values.Fluentd.Output.Http.Auth.Password.Name .Values.Fluentd.Output.Http.Auth.Password.Key }}
-            - name: HTTP_USERNAME
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Values.Fluentd.Output.Http.Auth.User.Name }}
-                  key: {{ .Values.Fluentd.Output.Http.Auth.User.Key }}
-            - name: HTTP_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Values.Fluentd.Output.Http.Auth.Password.Name }}
-                  key: {{ .Values.Fluentd.Output.Http.Auth.Password.Key }}
-{{- else if and .Values.Fluentd.Output.Http.Auth .Values.Fluentd.Output.Http.Auth.Token .Values.Fluentd.Output.Http.Auth.Token.Name .Values.Fluentd.Output.Http.Auth.Token.Key }}
-            - name: HTTP_TOKEN
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Values.Fluentd.Output.Http.Auth.Token.Name }}
-                  key: {{ .Values.Fluentd.Output.Http.Auth.Token.Key }}
-{{- end }}
-{{- end }}
           volumeMounts:
 {{ if eq .Values.ContainerRuntimeType "docker" }}
 {{ if ne .Values.OSKind "ubuntu" }}
@@ -234,6 +200,16 @@ spec:
               readOnly: true
               subPath: {{ .Values.Fluentd.Output.Loki.Auth.Token.Key }}
 {{- end }}
+{{- if and .Values.Fluentd.Output.Loki.Auth .Values.Fluentd.Output.Loki.Auth.User .Values.Fluentd.Output.Loki.Auth.User.Name .Values.Fluentd.Output.Loki.Auth.User.Key .Values.Fluentd.Output.Loki.Auth.Password .Values.Fluentd.Output.Loki.Auth.Password.Name .Values.Fluentd.Output.Loki.Auth.Password.Key }}
+            - mountPath: /fluentd/output/loki/auth/username
+              name: loki-auth-user
+              readOnly: true
+              subPath: {{ .Values.Fluentd.Output.Loki.Auth.User.Key }}
+            - mountPath: /fluentd/output/loki/auth/password
+              name: loki-auth-password
+              readOnly: true
+              subPath: {{ .Values.Fluentd.Output.Loki.Auth.Password.Key }}
+{{- end }}
 {{- if and .Values.Fluentd.Output.Loki.TLS .Values.Fluentd.Output.Loki.TLS.Enabled }}
 {{- if and .Values.Fluentd.Output.Loki.TLS.CA .Values.Fluentd.Output.Loki.TLS.CA.SecretName .Values.Fluentd.Output.Loki.TLS.CA.SecretKey }}
             - mountPath: /fluentd/output/loki/tls/ca.crt
@@ -256,6 +232,21 @@ spec:
 {{- end }}
 {{- end }}
 {{- if and .Values.Fluentd.Output .Values.Fluentd.Output.Http .Values.Fluentd.Output.Http.Enabled }}
+{{- if and .Values.Fluentd.Output.Http.Auth .Values.Fluentd.Output.Http.Auth.User .Values.Fluentd.Output.Http.Auth.User.Name .Values.Fluentd.Output.Http.Auth.User.Key .Values.Fluentd.Output.Http.Auth.Password .Values.Fluentd.Output.Http.Auth.Password.Name .Values.Fluentd.Output.Http.Auth.Password.Key }}
+            - mountPath: /fluentd/output/http/auth/username
+              name: http-auth-user
+              readOnly: true
+              subPath: {{ .Values.Fluentd.Output.Http.Auth.User.Key }}
+            - mountPath: /fluentd/output/http/auth/password
+              name: http-auth-password
+              readOnly: true
+              subPath: {{ .Values.Fluentd.Output.Http.Auth.Password.Key }}
+{{- else if and .Values.Fluentd.Output.Http.Auth .Values.Fluentd.Output.Http.Auth.Token .Values.Fluentd.Output.Http.Auth.Token.Name .Values.Fluentd.Output.Http.Auth.Token.Key }}
+            - mountPath: /fluentd/output/http/auth/token
+              name: http-auth-token
+              readOnly: true
+              subPath: {{ .Values.Fluentd.Output.Http.Auth.Token.Key }}
+{{- end }}
 {{- if and .Values.Fluentd.Output.Http.TLS .Values.Fluentd.Output.Http.TLS.Enabled }}
 {{- if and .Values.Fluentd.Output.Http.TLS.CA .Values.Fluentd.Output.Http.TLS.CA.SecretName .Values.Fluentd.Output.Http.TLS.CA.SecretKey }}
             - mountPath: /fluentd/output/http/tls/ca.crt
@@ -348,6 +339,16 @@ spec:
             secretName: {{ .Values.Fluentd.Output.Loki.Auth.Token.Name }}
             defaultMode: 220
 {{- end }}
+{{- if and .Values.Fluentd.Output.Loki.Auth .Values.Fluentd.Output.Loki.Auth.User .Values.Fluentd.Output.Loki.Auth.User.Name .Values.Fluentd.Output.Loki.Auth.User.Key .Values.Fluentd.Output.Loki.Auth.Password .Values.Fluentd.Output.Loki.Auth.Password.Name .Values.Fluentd.Output.Loki.Auth.Password.Key }}
+        - name: loki-auth-user
+          secret:
+            secretName: {{ .Values.Fluentd.Output.Loki.Auth.User.Name }}
+            defaultMode: 256 # 0400: read-only for owner
+        - name: loki-auth-password
+          secret:
+            secretName: {{ .Values.Fluentd.Output.Loki.Auth.Password.Name }}
+            defaultMode: 256 # 0400: read-only for owner
+{{- end }}
 {{- if and .Values.Fluentd.Output.Loki.TLS .Values.Fluentd.Output.Loki.TLS.Enabled }}
 {{- if and .Values.Fluentd.Output.Loki.TLS.CA .Values.Fluentd.Output.Loki.TLS.CA.SecretName .Values.Fluentd.Output.Loki.TLS.CA.SecretKey }}
         - name: loki-tls-ca
@@ -370,6 +371,21 @@ spec:
 {{- end }}
 {{- end }}
 {{- if and .Values.Fluentd.Output .Values.Fluentd.Output.Http .Values.Fluentd.Output.Http.Enabled }}
+{{- if and .Values.Fluentd.Output.Http.Auth .Values.Fluentd.Output.Http.Auth.User .Values.Fluentd.Output.Http.Auth.User.Name .Values.Fluentd.Output.Http.Auth.User.Key .Values.Fluentd.Output.Http.Auth.Password .Values.Fluentd.Output.Http.Auth.Password.Name .Values.Fluentd.Output.Http.Auth.Password.Key }}
+        - name: http-auth-user
+          secret:
+            secretName: {{ .Values.Fluentd.Output.Http.Auth.User.Name }}
+            defaultMode: 256 # 0400: read-only for owner
+        - name: http-auth-password
+          secret:
+            secretName: {{ .Values.Fluentd.Output.Http.Auth.Password.Name }}
+            defaultMode: 256 # 0400: read-only for owner
+{{- else if and .Values.Fluentd.Output.Http.Auth .Values.Fluentd.Output.Http.Auth.Token .Values.Fluentd.Output.Http.Auth.Token.Name .Values.Fluentd.Output.Http.Auth.Token.Key }}
+        - name: http-auth-token
+          secret:
+            secretName: {{ .Values.Fluentd.Output.Http.Auth.Token.Name }}
+            defaultMode: 256 # 0400: read-only for owner
+{{- end }}
 {{- if and .Values.Fluentd.Output.Http.TLS .Values.Fluentd.Output.Http.TLS.Enabled }}
 {{- if and .Values.Fluentd.Output.Http.TLS.CA .Values.Fluentd.Output.Http.TLS.CA.SecretName .Values.Fluentd.Output.Http.TLS.CA.SecretKey }}
         - name: http-tls-ca
diff --git a/controllers/fluentd/fluentd.configmap/conf.d/outputs/output-http.conf b/controllers/fluentd/fluentd.configmap/conf.d/outputs/output-http.conf
index 826daeff..7237f7e3 100644
--- a/controllers/fluentd/fluentd.configmap/conf.d/outputs/output-http.conf
+++ b/controllers/fluentd/fluentd.configmap/conf.d/outputs/output-http.conf
@@ -8,15 +8,18 @@
   {{- if and .Values.Fluentd.Output.Http.Auth .Values.Fluentd.Output.Http.Auth.User .Values.Fluentd.Output.Http.Auth.Password }}
   <auth>
     method     basic
-    username   "#{ENV['HTTP_USERNAME']}"
-    password   "#{ENV['HTTP_PASSWORD']}"
+    username   "#{File.read('/fluentd/output/http/auth/username').strip}"
+    password   "#{File.read('/fluentd/output/http/auth/password').strip}"
   </auth>
   {{- end }}
+  {{- $headers := dict "VL-Msg-Field" "log" "VL-Time-Field" "time" "VL-Stream-Fields" "namespace,container" }}
   {{- if .Values.Fluentd.Output.Http.Headers }}
-  headers      {{ .Values.Fluentd.Output.Http.Headers | toJson }}
-  {{- else }}
-  headers      {{ printf `{"VL-Msg-Field": "log", "VL-Time-Field": "time", "VL-Stream-Fields": "namespace,container"}` }}
+  {{- $headers = .Values.Fluentd.Output.Http.Headers }}
   {{- end }}
+  {{- if and .Values.Fluentd.Output.Http.Auth .Values.Fluentd.Output.Http.Auth.Token .Values.Fluentd.Output.Http.Auth.Token.Name .Values.Fluentd.Output.Http.Auth.Token.Key }}
+  {{- $_ := set $headers "Authorization" "Bearer #{File.read('/fluentd/output/http/auth/token').strip}" }}
+  {{- end }}
+  headers      {{ $headers | toJson }}
   {{- if .Values.Fluentd.Output.Http.Routing }}
   {{- $logCategoryHeader := .Values.Fluentd.Output.Http.Routing.LogCategoryHeader | default "X-Log-Type" }}
   headers_from_placeholders {{ printf "{%s: \"${$.log_category}\"}" ($logCategoryHeader | quote) }}
diff --git a/controllers/fluentd/fluentd.configmap/conf.d/outputs/output-loki.conf b/controllers/fluentd/fluentd.configmap/conf.d/outputs/output-loki.conf
index 8f9b42eb..80adc3c1 100644
--- a/controllers/fluentd/fluentd.configmap/conf.d/outputs/output-loki.conf
+++ b/controllers/fluentd/fluentd.configmap/conf.d/outputs/output-loki.conf
@@ -17,8 +17,8 @@
   bearer_token_file "/fluentd/output/loki/auth/token"
   {{- end }}
   {{- if and .Values.Fluentd.Output.Loki.Auth.User .Values.Fluentd.Output.Loki.Auth.Password }}
-  username "#{ENV['LOKI_USERNAME']}"
-  password "#{ENV['LOKI_PASSWORD']}"
+  username "#{File.read('/fluentd/output/loki/auth/username').strip}"
+  password "#{File.read('/fluentd/output/loki/auth/password').strip}"
   {{- end }}
   {{- end }}