diff --git a/changelog.d/5-internal/elasticsearch-ephemeral_configurable_password b/changelog.d/5-internal/elasticsearch-ephemeral_configurable_password
new file mode 100644
index 00000000000..fe65603b55d
--- /dev/null
+++ b/changelog.d/5-internal/elasticsearch-ephemeral_configurable_password
@@ -0,0 +1,3 @@
+Provide password as value in `elasticsearch-ephemeral`. This way we can use
+different passwords on our test systems. Ensuring that the password is really
+configurable (and not accidentally hardcoded somewhere.)
diff --git a/charts/elasticsearch-ephemeral/templates/es.yaml b/charts/elasticsearch-ephemeral/templates/es.yaml
index 4a82cbd28bf..873b50b1693 100644
--- a/charts/elasticsearch-ephemeral/templates/es.yaml
+++ b/charts/elasticsearch-ephemeral/templates/es.yaml
@@ -34,9 +34,8 @@ spec:
           value: ".watches,.triggered_watches,.watcher-history-*,pod-*,node-*"
         - name: "xpack.security.enabled"
           value: "true"
-        # setting the password here is ok, as this chart is only used for integration tests on CI
         - name: "ELASTIC_PASSWORD"
-          value: "changeme"
+          value: {{ .Values.secrets.password }}
         ports:
         - containerPort: 9200
           name: http
diff --git a/charts/elasticsearch-ephemeral/values.yaml b/charts/elasticsearch-ephemeral/values.yaml
index 9d0c5cae8ab..a09d05caeb4 100644
--- a/charts/elasticsearch-ephemeral/values.yaml
+++ b/charts/elasticsearch-ephemeral/values.yaml
@@ -14,3 +14,6 @@ resources:
   requests:
     cpu: "250m"
     memory: "500Mi"
+
+secrets:
+  password: "changeme"