diff --git a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/certauthority.yml b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/certauthority.yml
index e5a4e47..26f2b98 100644
--- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/certauthority.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/certauthority.yml
@@ -1,21 +1,33 @@
 - block:
 
+    - name: Initialize tempfile
+      ansible.builtin.tempfile:
+        state: file
+      register: values_file
+
+    - name: Write chart values w/ password to tempfile
+      ansible.builtin.copy:
+        dest: "{{ values_file.path }}"
+        content: "{{ stepca_values.stdout | regex_replace('(ca_password|provisioner_password): ', '\\1: ' ~ (vapp['metacluster.password'] | b64encode)) }}"
+      no_log: true
+
     - name: Install step-ca chart
       kubernetes.core.helm:
         name: step-certificates
         chart_ref: /opt/metacluster/helm-charts/step-certificates
         release_namespace: step-ca
         create_namespace: yes
-        # Unable to use REST api based readycheck due to 'missing' ingress
+        # Unable to use REST api based readycheck due to lack of ingress
         wait: yes
         kubeconfig: "{{ kubeconfig.path }}"
-        values: "{{ ( stepca_values.stdout | from_yaml ) | combine( { 'inject': ( _template.chart_values | from_yaml ) }, recursive=True ) }}"
-      vars:
-        _template:
-          chart_values: >-
-            secrets:
-              ca_password: "{{ vapp['metacluster.password'] | b64encode }}"
-              provisioner_password: "{{ vapp['metacluster.password'] | b64encode }}"
+        values-files:
+          - "{{ values_file.path }}"
+
+    - name: Cleanup tempfile
+      ansible.builtin.file:
+        path: "{{ values_file.path }}"
+        state: absent
+      when: values_file.path is defined
 
     - name: Retrieve configmap w/ root certificate
       kubernetes.core.k8s_info: