diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index ad220338b57e0be08769e1b0f46366cf9e65ca35..2d62a9a774c97cf458bb461717355ec06741a3b9 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -290,18 +290,12 @@ qa:
       --set gitlab.sidekiq.redis.password.key=redis-password \
       --set gitlab.sidekiq.psql.serviceName=omnibus \
       --set gitlab.sidekiq.psql.password="$ROOT_PASSWORD" \
-      --set gitlab.sidekiq.gitaly.authToken.secret=gitaly-secret \
-      --set gitlab.sidekiq.gitaly.authToken.key=token \
       --set gitlab.unicorn.enabled=true \
       --set gitlab.unicorn.redis.serviceName=redis \
       --set gitlab.unicorn.redis.password.secret=gitlab-redis \
       --set gitlab.unicorn.redis.password.key=redis-password \
       --set gitlab.unicorn.psql.serviceName=omnibus \
       --set gitlab.unicorn.psql.password="$ROOT_PASSWORD" \
-      --set gitlab.unicorn.shell.authToken.secret=gitlab-shell-secret \
-      --set gitlab.unicorn.shell.authToken.key=secret \
-      --set gitlab.unicorn.gitaly.authToken.secret=gitaly-secret \
-      --set gitlab.unicorn.gitaly.authToken.key=token \
       --set gitlab.unicorn.registry.api.serviceName=registry \
       --set gitlab.unicorn.registry.tokenIssuer="gitlab-issuer" \
       --set gitlab.unicorn.registry.certificate.secret=gitlab-registry \
@@ -314,11 +308,7 @@ qa:
       --set gitlab.migrations.psql.password="$ROOT_PASSWORD" \
       --set gitlab.migrations.initialRootPassword="$ROOT_PASSWORD" \
       --set gitlab.gitlab-shell.enabled=true \
-      --set gitlab.gitlab-shell.authToken.secret=gitlab-shell-secret \
-      --set gitlab.gitlab-shell.authToken.key=secret \
       --set gitlab.gitaly.enabled=true \
-      --set gitlab.gitaly.authToken.secret=gitaly-secret \
-      --set gitlab.gitaly.authToken.key=token \
       --set gitlab.omnibus.enabled=true \
       --set gitlab.omnibus.service.type=NodePort \
       --set gitlab.omnibus.psql.password="$ROOT_PASSWORD" \
@@ -406,6 +396,9 @@ qa:
       --docker-password="$CI_REGISTRY_PASSWORD" \
       --docker-email="$GITLAB_USER_EMAIL" \
       -o yaml --dry-run | kubectl replace -n "$KUBE_NAMESPACE" --force -f -
+
+    ./scripts/create-secret-token -n "$KUBE_NAMESPACE" --name="gitlab-shell-secret" --key="secret"
+    ./scripts/create-secret-token -n "$KUBE_NAMESPACE" --name="gitaly-secret" --key="token"
   }
 
   function delete() {
diff --git a/doc/example-config.yaml b/doc/example-config.yaml
index 76555d37a08405cb183084c07b4c54c6b8034c32..85df66a38d461b29715ea937d31275ab2acde803 100644
--- a/doc/example-config.yaml
+++ b/doc/example-config.yaml
@@ -58,14 +58,8 @@ gitlab:
         certificate:
           secret: gitlab-registry
           key: registry-auth.key
-      shell:
-        authToken:
-          secret: gitlab-shell-secret
       gitaly:
         serviceName: gitaly
-        authToken:
-          secret: gitaly-secret
-          key: token
       redis:
         serviceName: redis
         password:
@@ -81,9 +75,6 @@ gitlab:
       timeout: 5
       gitaly:
         serviceName: gitaly
-        authToken:
-          secret: gitaly-secret
-          key: token
       redis:
         serviceName: redis
         password:
@@ -105,9 +96,6 @@ gitlab:
     # Gitaly provides storage & API access to Git repository data
     gitaly:
       enabled: true
-      authToken:
-        name: gitaly-secret
-        key: token
     # Handle database init and upgrade migrations, via gitlab-rails codebase
     migrations:
       enabled: true
diff --git a/doc/installation/secrets.md b/doc/installation/secrets.md
index 87955f4cae9a4a1389652d8bd1ecf1758c997ac7..d6b6396f26419ea9655adbac15f6ccf1a599f261 100644
--- a/doc/installation/secrets.md
+++ b/doc/installation/secrets.md
@@ -83,18 +83,16 @@ $ kubectl create secret generic gitlab-redis --from-literal=redis-password=<pass
 
 ### GitLab Shell
 
-Generate a random secret for GitLab Shell, and use it to create the secret
+Generate a random secret for GitLab Shell.
 
 ```
-$ head -c 512 /dev/urandom | tr -cd 'a-zA-Z0-9' | head -c 64 > ./shell_secret
-$ kubectl create secret generic gitlab-shell-secret --from-file=secret=shell_secret
+$ ./scripts/create-secret-token --name="gitlab-shell-secret" --key="secret"
 ```
 
 ### Gitaly Secret
 
 ```
-$ head -c 512 /dev/urandom | tr -cd 'a-zA-Z0-9' | head -c 64 > ./gitaly_secret
-$ kubectl create secret generic gitaly-secret --from-file=token=gitaly_secret
+$ ./scripts/create-secret-token --name="gitaly-secret" --key="token"
 ```
 
 Once all secrets have been generated and stored, you can proceed to generating
diff --git a/scripts/create-secret-token b/scripts/create-secret-token
new file mode 100755
index 0000000000000000000000000000000000000000..b61511f1fd0f89ee4fb3ef9d78119f7255a37dfd
--- /dev/null
+++ b/scripts/create-secret-token
@@ -0,0 +1,49 @@
+#!/bin/bash
+
+set -e
+
+KUBE_COMMAND=$(which kubectl)
+
+OPTS=`getopt -o n:s:k:h --long namespace:,name:,key:,help -n 'create-secret-token' -- "$@"`
+eval set -- "$OPTS"
+
+NAMESPACE_CMD=""
+
+display_usage() {
+cat <<-EOF
+Generates random token values. And uses kubectl to create the Kubernetes Secret in the cluster.
+
+USAGE: create-secret-token [OPTIONS]
+
+OPTIONS
+
+  -n, --namespace='': If present, the kubernetes namespace where the secret will be created.
+  -s, --name='': The name for the Kubernetes Secret Object created.
+  -k, --key='': The key name used to contain the token data within the Kubernetes Secret.
+  -h, --help: Displays this usage message.
+
+EOF
+return;
+}
+
+while [ ! $# -eq 0 ]
+do
+	case "$1" in
+		--namespace | -n ) NAMESPACE="$2"; NAMESPACE_CMD="-n ${NAMESPACE}"; shift ;;
+		--name | -s ) SECRET_NAME="$2"; shift ;;
+		--key | -k ) SECRET_KEY="$2"; shift ;;
+		--help | -h ) display_usage; exit 0 ;;
+	esac
+	shift
+done
+
+if [ -z $SECRET_NAME ] || [ -z $SECRET_KEY ]; then
+	echo "ERROR: Missing required options"
+	display_usage
+	exit 0
+fi
+
+# Create secret token if it doesn't exist
+if ! $KUBE_COMMAND ${NAMESPACE_CMD} get secret ${SECRET_NAME} > /dev/null 2>&1; then
+  $KUBE_COMMAND ${NAMESPACE_CMD} create secret generic ${SECRET_NAME} --from-literal=${SECRET_KEY}=$(head -c 512 /dev/urandom | tr -cd 'a-zA-Z0-9' | head -c 64)
+fi