diff --git a/.prow/postsubmits.yaml b/.prow/postsubmits.yaml
index fea257f..66592ca 100644
--- a/.prow/postsubmits.yaml
+++ b/.prow/postsubmits.yaml
@@ -81,13 +81,21 @@ postsubmits:
     labels:
       preset-docker-push: "true"
       preset-goproxy: "true"
+      preset-vault: "true"
     spec:
       containers:
         - image: quay.io/kubermatic/build:go-1.23-node-20-kind-0.23-0
           command:
-            - make
-          args:
-            - release-charts
+            - /bin/bash
+            - -c
+            - |
+              set -euo pipefail
+
+              # Calculate Git Tag.
+              GIT_HEAD_TAG="$(git tag -l "${PULL_BASE_REF:-}")"
+              RELEASE_TAG="${TAG:-$GIT_HEAD_TAG}"
+
+              make IMAGE_TAG=$RELEASE_TAG release-charts
           resources:
             requests:
               cpu: 100m
diff --git a/Makefile b/Makefile
index 1316efe..17010df 100644
--- a/Makefile
+++ b/Makefile
@@ -244,7 +244,7 @@ bump-chart:
 	$(SED) -i "s/tag:.*/tag: $(IMAGE_TAG)/" charts/*/values.yaml
 
 .PHONY: release-charts helm-docs generate-helm-docs
-release-charts: helm-lint generate-helm-docs bump-chart
+release-charts: bump-chart helm-lint generate-helm-docs
 	CHART_VERSION=$(IMAGE_TAG) ./hack/release-helm-charts.sh
 
 .PHONY: crd-ref-docs
diff --git a/hack/lib.sh b/hack/lib.sh
index e49ab7b..a15487e 100755
--- a/hack/lib.sh
+++ b/hack/lib.sh
@@ -139,3 +139,21 @@ containerize() {
     exit $?
   fi
 }
+
+vault_ci_login() {
+  # already logged in
+  if [ -n "${VAULT_TOKEN:-}" ]; then
+    return 0
+  fi
+
+  # check environment variables
+  if [ -z "${VAULT_ROLE_ID:-}" ] || [ -z "${VAULT_SECRET_ID:-}" ]; then
+    echo "VAULT_ROLE_ID and VAULT_SECRET_ID must be set to programmatically authenticate against Vault."
+    return 1
+  fi
+
+  local token
+  token=$(vault write --format=json auth/approle/login "role_id=$VAULT_ROLE_ID" "secret_id=$VAULT_SECRET_ID" | jq -r '.auth.client_token')
+
+  export VAULT_TOKEN="$token"
+}
diff --git a/hack/release-helm-charts.sh b/hack/release-helm-charts.sh
index f0aa86e..00c0024 100755
--- a/hack/release-helm-charts.sh
+++ b/hack/release-helm-charts.sh
@@ -19,6 +19,17 @@ set -euo pipefail
 cd $(dirname $0)/..
 source hack/lib.sh
 
+## When running out of CI, it's expected that the user has already configured vault
+if [ -n "$JOB_NAME" ] || [ -n "$PROW_JOB_ID" ]; then
+  echodate "Getting secrets from Vault"
+  retry 5 vault_ci_login
+fi
+
+if [ -z "$CHART_VERSION" ]; then
+  echo "CHART_VERSION is empty, cannot proceed"
+  exit 1
+fi
+
 REGISTRY_HOST="${REGISTRY_HOST:-quay.io}"
 REPOSITORY_PREFIX="${REPOSITORY_PREFIX:-kubermatic/helm-charts}"
 
@@ -38,6 +49,10 @@ CHART_PACKAGE_MANAGER="${MANAGER}-${CHART_VERSION}.tgz"
 CHART_PACKAGE_CCM="${CCM}-${CHART_VERSION}.tgz"
 
 echodate "Packaging helm charts ${CHART_PACKAGE_MANAGER} and ${CHART_PACKAGE_CCM}"
+
+helm dependency build charts/kubelb-manager
+helm dependency build charts/kubelb-ccm
+
 helm package charts/${MANAGER} --version ${CHART_VERSION} --destination ./
 helm package charts/${CCM} --version ${CHART_VERSION} --destination ./