diff --git a/kube/deploy/core/_networking/cilium/loadbalancer/BGP.yaml b/kube/deploy/core/_networking/cilium/loadbalancer/BGP.yaml
index b4dc25f0..5b3b1c96 100644
--- a/kube/deploy/core/_networking/cilium/loadbalancer/BGP.yaml
+++ b/kube/deploy/core/_networking/cilium/loadbalancer/BGP.yaml
@@ -21,6 +21,7 @@ spec:
       neighbors:
         - peerAddress: "${IP_ROUTER_VLAN_K8S}/32" # unlike bgp-config ConfigMap, peerAddress needs to be in CIDR notation
           peerASN: *router
+          authSecretRef: cilium-bgp-password-router
           gracefulRestart:
             enabled: true
             restartTimeSeconds: 120
diff --git a/kube/deploy/core/_networking/cilium/loadbalancer/es.yaml b/kube/deploy/core/_networking/cilium/loadbalancer/es.yaml
new file mode 100644
index 00000000..2e884522
--- /dev/null
+++ b/kube/deploy/core/_networking/cilium/loadbalancer/es.yaml
@@ -0,0 +1,25 @@
+---
+# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: &name cilium-bgp-password-router
+  namespace: kube-system
+spec:
+  refreshInterval: 1m
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: 1p
+  dataFrom:
+    - extract:
+        key: "Cilium - ${CLUSTER_NAME}"
+        # key: "Cilium - biohazard"
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: *name
+    template:
+      type: Opaque
+      data:
+        password: '{{ .SECRET_CILIUM_BGP_PASSWORD_ROUTER }}'
+