diff --git a/sandboxes/cleartext-header-mode/config/fleetspeak-server/components.textproto b/sandboxes/cleartext-header-mode/config/fleetspeak-server/components.textproto
index 915d61b5..a6fbfbe8 100644
--- a/sandboxes/cleartext-header-mode/config/fleetspeak-server/components.textproto
+++ b/sandboxes/cleartext-header-mode/config/fleetspeak-server/components.textproto
@@ -1,4 +1,4 @@
-mysql_data_source_name:"fleetspeak-user:fleetspeak-password@tcp(mysql-server:3306)/fleetspeak"
+mysql_data_source_name:"fleetspeak-user:FS_PASSWORD@tcp(mysql-server:3306)/fleetspeak"
 https_config: {
   listen_address: "0.0.0.0:9090"
   certificates:"FRONTEND_CERTIFICATE"
diff --git a/sandboxes/cleartext-header-mode/config/fleetspeak.textproto b/sandboxes/cleartext-header-mode/config/fleetspeak.textproto
index 4df1919f..ab47c9ba 100644
--- a/sandboxes/cleartext-header-mode/config/fleetspeak.textproto
+++ b/sandboxes/cleartext-header-mode/config/fleetspeak.textproto
@@ -2,7 +2,7 @@ configuration_name: "Example"
 
 components_config {
 
-  mysql_data_source_name: "fleetspeak-user:fleetspeak-password@tcp(mysql-server:3306)/fleetspeak"
+  mysql_data_source_name: "fleetspeak-user:FS_PASSWORD@tcp(mysql-server:3306)/fleetspeak"
 
   https_config {
     listen_address: "fleetspeak-server:9090"
diff --git a/sandboxes/cleartext-header-mode/docker-compose.yaml b/sandboxes/cleartext-header-mode/docker-compose.yaml
index 792fb441..cf9d0180 100644
--- a/sandboxes/cleartext-header-mode/docker-compose.yaml
+++ b/sandboxes/cleartext-header-mode/docker-compose.yaml
@@ -7,8 +7,8 @@ services:
     environment:
       MYSQL_DATABASE: 'fleetspeak'
       MYSQL_USER: 'fleetspeak-user'
-      MYSQL_PASSWORD: 'fleetspeak-password'
-      MYSQL_ROOT_PASSWORD: 'password'
+      MYSQL_PASSWORD: 'FS_PASSWORD'
+      MYSQL_ROOT_PASSWORD: 'FS_SQL_PASSWORD'
     ports:
       - '3306:3306'
     expose:
@@ -29,14 +29,12 @@ services:
     - "10000:10000"
 
   fleetspeak-server:
-    build:
-      context: .
-      dockerfile: ../shared/fleetspeak-server/Dockerfile
+    image: ghcr.io/google/fleetspeak:latest
     hostname: fleetspeak-server
     depends_on:
       mysql-server:
         condition: service_healthy
-    entrypoint: ["/app/bin/server", "-components_config", "/config/fleetspeak-server/components.textproto", "-services_config", "/config/fleetspeak-server/services.textproto", "-alsologtostderr"]
+    entrypoint: ["/fleetspeak/bin/server", "-components_config", "/config/fleetspeak-server/components.textproto", "-services_config", "/config/fleetspeak-server/services.textproto", "-alsologtostderr"]
     volumes:
       - "./config:/config"
     ports:
@@ -60,6 +58,6 @@ services:
     depends_on:
       fleetspeak-server:
         condition: service_healthy
-    entrypoint: ["/app/bin/client", "-config", "/config/fleetspeak-client/config.textproto", "-alsologtostderr"]
+    entrypoint: ["/fleetspeak/bin/client", "-config", "/config/fleetspeak-client/config.textproto", "-alsologtostderr"]
     volumes:
       - "./config:/config"
diff --git a/sandboxes/cleartext-xfcc-mode/config/fleetspeak-server/components.textproto b/sandboxes/cleartext-xfcc-mode/config/fleetspeak-server/components.textproto
index 29759876..c656384d 100644
--- a/sandboxes/cleartext-xfcc-mode/config/fleetspeak-server/components.textproto
+++ b/sandboxes/cleartext-xfcc-mode/config/fleetspeak-server/components.textproto
@@ -1,4 +1,4 @@
-mysql_data_source_name:"fleetspeak-user:fleetspeak-password@tcp(mysql-server:3306)/fleetspeak"
+mysql_data_source_name:"fleetspeak-user:FS_PASSWORD@tcp(mysql-server:3306)/fleetspeak"
 https_config: {
   listen_address: "0.0.0.0:9090"
   certificates:"FRONTEND_CERTIFICATE"
diff --git a/sandboxes/cleartext-xfcc-mode/config/fleetspeak.textproto b/sandboxes/cleartext-xfcc-mode/config/fleetspeak.textproto
index 4df1919f..ab47c9ba 100644
--- a/sandboxes/cleartext-xfcc-mode/config/fleetspeak.textproto
+++ b/sandboxes/cleartext-xfcc-mode/config/fleetspeak.textproto
@@ -2,7 +2,7 @@ configuration_name: "Example"
 
 components_config {
 
-  mysql_data_source_name: "fleetspeak-user:fleetspeak-password@tcp(mysql-server:3306)/fleetspeak"
+  mysql_data_source_name: "fleetspeak-user:FS_PASSWORD@tcp(mysql-server:3306)/fleetspeak"
 
   https_config {
     listen_address: "fleetspeak-server:9090"
diff --git a/sandboxes/cleartext-xfcc-mode/docker-compose.yaml b/sandboxes/cleartext-xfcc-mode/docker-compose.yaml
index 459401ed..cf9d0180 100644
--- a/sandboxes/cleartext-xfcc-mode/docker-compose.yaml
+++ b/sandboxes/cleartext-xfcc-mode/docker-compose.yaml
@@ -7,8 +7,8 @@ services:
     environment:
       MYSQL_DATABASE: 'fleetspeak'
       MYSQL_USER: 'fleetspeak-user'
-      MYSQL_PASSWORD: 'fleetspeak-password'
-      MYSQL_ROOT_PASSWORD: 'password'
+      MYSQL_PASSWORD: 'FS_PASSWORD'
+      MYSQL_ROOT_PASSWORD: 'FS_SQL_PASSWORD'
     ports:
       - '3306:3306'
     expose:
diff --git a/sandboxes/createConfig.sh b/sandboxes/createConfig.sh
index 329946d6..011b4a9c 100755
--- a/sandboxes/createConfig.sh
+++ b/sandboxes/createConfig.sh
@@ -36,3 +36,30 @@ cp cert.pem key.pem ./cleartext-xfcc-mode/
 cp cert.pem key.pem ./direct-mtls-mode/
 cp cert.pem key.pem ./https-header-mode/
 cp cert.pem key.pem ./passthrough-mode/
+
+MYSQL_PASSWORD=$(LC_ALL=C tr -dc 'A-Za-z0-9@%*+,-./' < /dev/urandom 2>/dev/null | head -c 16)
+FLEETSPEAK_PASSWORD=$(LC_ALL=C tr -dc 'A-Za-z0-9@%*+,-./' < /dev/urandom 2>/dev/null | head -c 16)
+
+sed -i 's@FS_SQL_PASSWORD@'"$MYSQL_PASSWORD"'@' ./cleartext-header-mode/docker-compose.yaml
+sed -i 's@FS_SQL_PASSWORD@'"$MYSQL_PASSWORD"'@' ./cleartext-xfcc-mode/docker-compose.yaml
+sed -i 's@FS_SQL_PASSWORD@'"$MYSQL_PASSWORD"'@' ./direct-mtls-mode/docker-compose.yaml
+sed -i 's@FS_SQL_PASSWORD@'"$MYSQL_PASSWORD"'@' ./https-header-mode/docker-compose.yaml
+sed -i 's@FS_SQL_PASSWORD@'"$MYSQL_PASSWORD"'@' ./passthrough-mode/docker-compose.yaml
+
+sed -i 's@FS_PASSWORD@'"$FLEETSPEAK_PASSWORD"'@' ./cleartext-header-mode/docker-compose.yaml
+sed -i 's@FS_PASSWORD@'"$FLEETSPEAK_PASSWORD"'@' ./cleartext-xfcc-mode/docker-compose.yaml
+sed -i 's@FS_PASSWORD@'"$FLEETSPEAK_PASSWORD"'@' ./direct-mtls-mode/docker-compose.yaml
+sed -i 's@FS_PASSWORD@'"$FLEETSPEAK_PASSWORD"'@' ./https-header-mode/docker-compose.yaml
+sed -i 's@FS_PASSWORD@'"$FLEETSPEAK_PASSWORD"'@' ./passthrough-mode/docker-compose.yaml
+
+sed -i 's@FS_PASSWORD@'"$FLEETSPEAK_PASSWORD"'@' ./cleartext-header-mode/config/fleetspeak-server/components.textproto
+sed -i 's@FS_PASSWORD@'"$FLEETSPEAK_PASSWORD"'@' ./cleartext-xfcc-mode/config/fleetspeak-server/components.textproto
+sed -i 's@FS_PASSWORD@'"$FLEETSPEAK_PASSWORD"'@' ./direct-mtls-mode/config/fleetspeak-server/components.textproto
+sed -i 's@FS_PASSWORD@'"$FLEETSPEAK_PASSWORD"'@' ./https-header-mode/config/fleetspeak-server/components.textproto
+sed -i 's@FS_PASSWORD@'"$FLEETSPEAK_PASSWORD"'@' ./passthrough-mode/config/fleetspeak-server/components.textproto
+
+sed -i 's@FS_PASSWORD@'"$FLEETSPEAK_PASSWORD"'@' ./cleartext-header-mode/config/fleetspeak.textproto
+sed -i 's@FS_PASSWORD@'"$FLEETSPEAK_PASSWORD"'@' ./cleartext-xfcc-mode/config/fleetspeak.textproto
+sed -i 's@FS_PASSWORD@'"$FLEETSPEAK_PASSWORD"'@' ./direct-mtls-mode/config/fleetspeak.textproto
+sed -i 's@FS_PASSWORD@'"$FLEETSPEAK_PASSWORD"'@' ./https-header-mode/config/fleetspeak.textproto
+sed -i 's@FS_PASSWORD@'"$FLEETSPEAK_PASSWORD"'@' ./passthrough-mode/config/fleetspeak.textproto
diff --git a/sandboxes/direct-mtls-mode/config/fleetspeak-server/components.textproto b/sandboxes/direct-mtls-mode/config/fleetspeak-server/components.textproto
index fc272df1..e692cc75 100644
--- a/sandboxes/direct-mtls-mode/config/fleetspeak-server/components.textproto
+++ b/sandboxes/direct-mtls-mode/config/fleetspeak-server/components.textproto
@@ -1,4 +1,4 @@
-mysql_data_source_name:"fleetspeak-user:fleetspeak-password@tcp(mysql-server:3306)/fleetspeak"
+mysql_data_source_name:"fleetspeak-user:FS_PASSWORD@tcp(mysql-server:3306)/fleetspeak"
 https_config: {
   listen_address: "0.0.0.0:9090"
   certificates:"FRONTEND_CERTIFICATE"
diff --git a/sandboxes/direct-mtls-mode/config/fleetspeak.textproto b/sandboxes/direct-mtls-mode/config/fleetspeak.textproto
index 4df1919f..ab47c9ba 100644
--- a/sandboxes/direct-mtls-mode/config/fleetspeak.textproto
+++ b/sandboxes/direct-mtls-mode/config/fleetspeak.textproto
@@ -2,7 +2,7 @@ configuration_name: "Example"
 
 components_config {
 
-  mysql_data_source_name: "fleetspeak-user:fleetspeak-password@tcp(mysql-server:3306)/fleetspeak"
+  mysql_data_source_name: "fleetspeak-user:FS_PASSWORD@tcp(mysql-server:3306)/fleetspeak"
 
   https_config {
     listen_address: "fleetspeak-server:9090"
diff --git a/sandboxes/direct-mtls-mode/docker-compose.yaml b/sandboxes/direct-mtls-mode/docker-compose.yaml
index 81ccb81f..1c3a52ad 100644
--- a/sandboxes/direct-mtls-mode/docker-compose.yaml
+++ b/sandboxes/direct-mtls-mode/docker-compose.yaml
@@ -7,8 +7,8 @@ services:
     environment:
       MYSQL_DATABASE: 'fleetspeak'
       MYSQL_USER: 'fleetspeak-user'
-      MYSQL_PASSWORD: 'fleetspeak-password'
-      MYSQL_ROOT_PASSWORD: 'password'
+      MYSQL_PASSWORD: 'FS_PASSWORD'
+      MYSQL_ROOT_PASSWORD: 'FS_SQL_PASSWORD'
     ports:
       - '3306:3306'
     expose:
diff --git a/sandboxes/https-header-mode/config/fleetspeak-server/components.textproto b/sandboxes/https-header-mode/config/fleetspeak-server/components.textproto
index 9c122eba..d74c0d32 100644
--- a/sandboxes/https-header-mode/config/fleetspeak-server/components.textproto
+++ b/sandboxes/https-header-mode/config/fleetspeak-server/components.textproto
@@ -1,4 +1,4 @@
-mysql_data_source_name:"fleetspeak-user:fleetspeak-password@tcp(mysql-server:3306)/fleetspeak"
+mysql_data_source_name:"fleetspeak-user:FS_PASSWORD@tcp(mysql-server:3306)/fleetspeak"
 https_config: {
   listen_address: "0.0.0.0:9090"
   certificates:"FRONTEND_CERTIFICATE"
diff --git a/sandboxes/https-header-mode/config/fleetspeak.textproto b/sandboxes/https-header-mode/config/fleetspeak.textproto
index 4df1919f..ab47c9ba 100644
--- a/sandboxes/https-header-mode/config/fleetspeak.textproto
+++ b/sandboxes/https-header-mode/config/fleetspeak.textproto
@@ -2,7 +2,7 @@ configuration_name: "Example"
 
 components_config {
 
-  mysql_data_source_name: "fleetspeak-user:fleetspeak-password@tcp(mysql-server:3306)/fleetspeak"
+  mysql_data_source_name: "fleetspeak-user:FS_PASSWORD@tcp(mysql-server:3306)/fleetspeak"
 
   https_config {
     listen_address: "fleetspeak-server:9090"
diff --git a/sandboxes/https-header-mode/docker-compose.yaml b/sandboxes/https-header-mode/docker-compose.yaml
index b92cbd07..722548a9 100644
--- a/sandboxes/https-header-mode/docker-compose.yaml
+++ b/sandboxes/https-header-mode/docker-compose.yaml
@@ -7,8 +7,8 @@ services:
     environment:
       MYSQL_DATABASE: 'fleetspeak'
       MYSQL_USER: 'fleetspeak-user'
-      MYSQL_PASSWORD: 'fleetspeak-password'
-      MYSQL_ROOT_PASSWORD: 'password'
+      MYSQL_PASSWORD: 'FS_PASSWORD'
+      MYSQL_ROOT_PASSWORD: 'FS_SQL_PASSWORD'
     ports:
       - '3306:3306'
     expose:
diff --git a/sandboxes/passthrough-mode/config/fleetspeak-server/components.textproto b/sandboxes/passthrough-mode/config/fleetspeak-server/components.textproto
index fc272df1..e692cc75 100644
--- a/sandboxes/passthrough-mode/config/fleetspeak-server/components.textproto
+++ b/sandboxes/passthrough-mode/config/fleetspeak-server/components.textproto
@@ -1,4 +1,4 @@
-mysql_data_source_name:"fleetspeak-user:fleetspeak-password@tcp(mysql-server:3306)/fleetspeak"
+mysql_data_source_name:"fleetspeak-user:FS_PASSWORD@tcp(mysql-server:3306)/fleetspeak"
 https_config: {
   listen_address: "0.0.0.0:9090"
   certificates:"FRONTEND_CERTIFICATE"
diff --git a/sandboxes/passthrough-mode/config/fleetspeak.textproto b/sandboxes/passthrough-mode/config/fleetspeak.textproto
index 4df1919f..ab47c9ba 100644
--- a/sandboxes/passthrough-mode/config/fleetspeak.textproto
+++ b/sandboxes/passthrough-mode/config/fleetspeak.textproto
@@ -2,7 +2,7 @@ configuration_name: "Example"
 
 components_config {
 
-  mysql_data_source_name: "fleetspeak-user:fleetspeak-password@tcp(mysql-server:3306)/fleetspeak"
+  mysql_data_source_name: "fleetspeak-user:FS_PASSWORD@tcp(mysql-server:3306)/fleetspeak"
 
   https_config {
     listen_address: "fleetspeak-server:9090"
diff --git a/sandboxes/passthrough-mode/docker-compose.yaml b/sandboxes/passthrough-mode/docker-compose.yaml
index 3fabf2d3..23b2cfa4 100644
--- a/sandboxes/passthrough-mode/docker-compose.yaml
+++ b/sandboxes/passthrough-mode/docker-compose.yaml
@@ -7,8 +7,8 @@ services:
     environment:
       MYSQL_DATABASE: 'fleetspeak'
       MYSQL_USER: 'fleetspeak-user'
-      MYSQL_PASSWORD: 'fleetspeak-password'
-      MYSQL_ROOT_PASSWORD: 'password'
+      MYSQL_PASSWORD: 'FS_PASSWORD'
+      MYSQL_ROOT_PASSWORD: 'FS_SQL_PASSWORD'
     ports:
       - '3306:3306'
     expose:
diff --git a/sandboxes/shared/envoy/Dockerfile b/sandboxes/shared/envoy/Dockerfile
index 0a0fa92a..8cf7416f 100644
--- a/sandboxes/shared/envoy/Dockerfile
+++ b/sandboxes/shared/envoy/Dockerfile
@@ -2,7 +2,7 @@ ARG ENVOY_IMAGE="${ENVOY_IMAGE:-envoyproxy/envoy}"
 ARG ENVOY_VARIANT="${ENVOY_VARIANT:-dev}"
 
 
-FROM ${ENVOY_IMAGE}:${ENVOY_VARIANT} as envoy-base
+FROM ${ENVOY_IMAGE}:${ENVOY_VARIANT} AS envoy-base
 ARG ENVOY_CONFIG=envoy.yaml
 ENV ENVOY_CONFIG="$ENVOY_CONFIG"
 ENV DEBIAN_FRONTEND=noninteractive