diff --git a/packages/rke2-canal/charts/templates/config.yaml b/packages/rke2-canal/charts/templates/config.yaml
index 1a005ca46..0243494b2 100644
--- a/packages/rke2-canal/charts/templates/config.yaml
+++ b/packages/rke2-canal/charts/templates/config.yaml
@@ -1,12 +1,18 @@
 ---
 # Source: calico/templates/calico-config.yaml
 # This ConfigMap is used to configure a self-hosted Canal installation.
-kind: ConfigMap
+kind: Secret
 apiVersion: v1
 metadata:
   name: {{ .Release.Name }}-config
   namespace: kube-system
-data:
+stringData:
+{{- $secretName := print .Release.Name "-config"}}
+{{- $config := (lookup "v1" "Secret" .Release.Namespace $secretName) | default dict }}
+{{- $psk := (get $config "psk") | default (randAlphaNum 96) }}
+{{- if eq .Values.flannel.backend "ipsec" }}
+  psk: {{ $psk  | quote }}
+{{- end }}
   # Typha is disabled.
   typha_service_name: {{ .Values.calico.typhaServiceName | quote }}
   # The interface used by canal for host <-> host communication.
@@ -67,5 +73,8 @@ data:
 {{- end }}
       "Backend": {
         "Type": {{ .Values.flannel.backend | quote }}
+{{- if eq .Values.flannel.backend "ipsec" }}
+        "PSK": {{ $psk | quote }}
+{{- end }}
       }
     }
diff --git a/packages/rke2-canal/charts/templates/daemonset.yaml b/packages/rke2-canal/charts/templates/daemonset.yaml
index cefe5277e..6c70bb754 100644
--- a/packages/rke2-canal/charts/templates/daemonset.yaml
+++ b/packages/rke2-canal/charts/templates/daemonset.yaml
@@ -53,7 +53,7 @@ spec:
             # The CNI network config to install on each node.
             - name: CNI_NETWORK_CONFIG
               valueFrom:
-                configMapKeyRef:
+                secretKeyRef:
                   name: {{ .Release.Name }}-config
                   key: cni_network_config
             # Set the hostname based on the k8s node name.
@@ -64,7 +64,7 @@ spec:
             # CNI MTU Config variable
             - name: CNI_MTU
               valueFrom:
-                configMapKeyRef:
+                secretKeyRef:
                   name: {{ .Release.Name }}-config
                   key: veth_mtu
             # Prevents the container from sleeping forever.
@@ -208,12 +208,12 @@ spec:
                   fieldPath: metadata.namespace
             - name: FLANNELD_IFACE
               valueFrom:
-                configMapKeyRef:
+                secretKeyRef:
                   name: {{ .Release.Name }}-config
                   key: canal_iface
             - name: FLANNELD_IP_MASQ
               valueFrom:
-                configMapKeyRef:
+                secretKeyRef:
                   name: {{ .Release.Name }}-config
                   key: masquerade
           volumeMounts:
@@ -239,8 +239,8 @@ spec:
             type: FileOrCreate
         # Used by flannel.
         - name: flannel-cfg
-          configMap:
-            name: {{ .Release.Name }}-config
+          secret:
+            secretName: {{ .Release.Name }}-config
         # Used to install CNI.
         - name: cni-bin-dir
           hostPath: