diff --git a/.gitignore b/.gitignore
index 8f64298..9e8dbc2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -17,5 +17,3 @@ charts/**/*.lock
 PRIVATEKEY
 PUBLICKEY
 .vagrant/
-pulsarctl-*-*.tar.gz
-pulsarctl-*-*/
diff --git a/scripts/pulsar/common_auth.sh b/scripts/pulsar/common_auth.sh
index bbca8c0..fdc7eaf 100755
--- a/scripts/pulsar/common_auth.sh
+++ b/scripts/pulsar/common_auth.sh
@@ -18,34 +18,13 @@
 # under the License.
 #
 
-if [ -z "$CHART_HOME" ]; then
-    echo "error: CHART_HOME should be initialized"
-    exit 1
+if [ -z "$PULSAR_VERSION" ]; then
+    if command -v yq &> /dev/null; then
+        # use yq to get the appVersion from the Chart.yaml file
+        PULSAR_VERSION=$(yq .appVersion charts/pulsar/Chart.yaml)
+    else
+        # use a default version if yq is not installed
+        PULSAR_VERSION="4.0.3"
+    fi
 fi
-
-OUTPUT=${CHART_HOME}/output
-OUTPUT_BIN=${OUTPUT}/bin
-PULSARCTL_VERSION=v3.0.2.6
-PULSARCTL_BIN=${HOME}/.pulsarctl/pulsarctl
-export PATH=${HOME}/.pulsarctl/plugins:${PATH}
-
-test -d "$OUTPUT_BIN" || mkdir -p "$OUTPUT_BIN"
-
-function pulsar::verify_pulsarctl() {
-    if test -x "$PULSARCTL_BIN"; then
-        return
-    fi
-    return 1
-}
-
-function pulsar::ensure_pulsarctl() {
-    if pulsar::verify_pulsarctl; then
-        return 0
-    fi
-    echo "Get pulsarctl install.sh script ..."
-    install_script=$(mktemp)
-    trap "test -f $install_script && rm $install_script" RETURN
-    curl --retry 10 -L -o $install_script https://raw.githubusercontent.com/streamnative/pulsarctl/master/install.sh
-    chmod +x $install_script
-    $install_script --user --version ${PULSARCTL_VERSION}
-}
\ No newline at end of file
+PULSAR_TOKENS_CONTAINER_IMAGE="apachepulsar/pulsar:${PULSAR_VERSION}"
\ No newline at end of file
diff --git a/scripts/pulsar/generate_token.sh b/scripts/pulsar/generate_token.sh
index b70ef13..b4af58c 100755
--- a/scripts/pulsar/generate_token.sh
+++ b/scripts/pulsar/generate_token.sh
@@ -20,9 +20,12 @@
 
 set -e
 
-CHART_HOME=$(unset CDPATH && cd $(dirname "${BASH_SOURCE[0]}")/../.. && pwd)
+SCRIPT_DIR="$(unset CDPATH && cd "$(dirname "${BASH_SOURCE[0]}")" &>/dev/null && pwd)"
+CHART_HOME=$(unset CDPATH && cd "$SCRIPT_DIR/../.." && pwd)
 cd ${CHART_HOME}
 
+source "${SCRIPT_DIR}/common_auth.sh"
+
 usage() {
     cat <<EOF
 This script is used to generate token for a given pulsar role.
@@ -86,10 +89,6 @@ if [[ "x${role}" == "x" ]]; then
     exit 1
 fi
 
-source ${CHART_HOME}/scripts/pulsar/common_auth.sh
-
-pulsar::ensure_pulsarctl
-
 namespace=${namespace:-pulsar}
 release=${release:-pulsar-dev}
 
@@ -101,7 +100,6 @@ function pulsar::jwt::get_secret() {
     if [[ "${local}" == "true" ]]; then
         cp ${type} ${tmpfile}
     else
-        echo "kubectl get -n ${namespace} secrets ${secret_name} -o jsonpath="{.data.${type}}" | base64 --decode > ${tmpfile}"
         kubectl get -n ${namespace} secrets ${secret_name} -o jsonpath="{.data['${type}']}" | base64 --decode > ${tmpfile}
     fi
 }
@@ -110,31 +108,41 @@ function pulsar::jwt::generate_symmetric_token() {
     local token_name="${release}-token-${role}"
     local secret_name="${release}-token-symmetric-key"
 
-    tmpfile=$(mktemp)
-    trap "test -f $tmpfile && rm $tmpfile" RETURN
-    tokentmpfile=$(mktemp)
-    trap "test -f $tokentmpfile && rm $tokentmpfile" RETURN
-    pulsar::jwt::get_secret SECRETKEY ${tmpfile} ${secret_name}
-    ${PULSARCTL_BIN} token create -a HS256 --secret-key-file ${tmpfile} --subject ${role} 2&> ${tokentmpfile}
-    newtokentmpfile=$(mktemp)
+
+    local tmpdir=$(mktemp -d)
+    trap "test -d $tmpdir && rm -rf $tmpdir" RETURN
+    secretkeytmpfile=${tmpdir}/secret.key
+    tokentmpfile=${tmpdir}/token.jwt
+
+    pulsar::jwt::get_secret SECRETKEY ${secretkeytmpfile} ${secret_name}
+
+    docker run --user 0 --rm -t -v ${tmpdir}:/keydir ${PULSAR_TOKENS_CONTAINER_IMAGE} bin/pulsar tokens create -a HS256 --subject "${role}" --secret-key=file:/keydir/secret.key > ${tokentmpfile}
+    
+    newtokentmpfile=${tmpdir}/token.jwt.new
     tr -d '\n' < ${tokentmpfile} > ${newtokentmpfile}
-    echo "kubectl create secret generic ${token_name} -n ${namespace} --from-file="TOKEN=${newtokentmpfile}" --from-literal="TYPE=symmetric" ${local:+ -o yaml --dry-run=client}"
     kubectl create secret generic ${token_name} -n ${namespace} --from-file="TOKEN=${newtokentmpfile}" --from-literal="TYPE=symmetric" ${local:+ -o yaml --dry-run=client}
+    rm -rf $tmpdir
 }
 
 function pulsar::jwt::generate_asymmetric_token() {
     local token_name="${release}-token-${role}"
     local secret_name="${release}-token-asymmetric-key"
 
-    privatekeytmpfile=$(mktemp)
-    trap "test -f $privatekeytmpfile && rm $privatekeytmpfile" RETURN
-    tokentmpfile=$(mktemp)
-    trap "test -f $tokentmpfile && rm $tokentmpfile" RETURN
+    local tmpdir=$(mktemp -d)
+    trap "test -d $tmpdir && rm -rf $tmpdir" RETURN
+
+    privatekeytmpfile=${tmpdir}/privatekey.der
+    tokentmpfile=${tmpdir}/token.jwt
+
     pulsar::jwt::get_secret PRIVATEKEY ${privatekeytmpfile} ${secret_name}
-    ${PULSARCTL_BIN} token create -a RS256 --private-key-file ${privatekeytmpfile} --subject ${role} 2&> ${tokentmpfile}
-    newtokentmpfile=$(mktemp)
+
+    # Generate token
+    docker run --user 0 --rm -t -v ${tmpdir}:/keydir ${PULSAR_TOKENS_CONTAINER_IMAGE} bin/pulsar tokens create -a RS256 --subject "${role}" --private-key=file:/keydir/privatekey.der > ${tokentmpfile}
+
+    newtokentmpfile=${tmpdir}/token.jwt.new
     tr -d '\n' < ${tokentmpfile} > ${newtokentmpfile}
     kubectl create secret generic ${token_name} -n ${namespace} --from-file="TOKEN=${newtokentmpfile}" --from-literal="TYPE=asymmetric" ${local:+ -o yaml --dry-run=client}
+    rm -rf $tmpdir
 }
 
 if [[ "${symmetric}" == "true" ]]; then
diff --git a/scripts/pulsar/generate_token_secret_key.sh b/scripts/pulsar/generate_token_secret_key.sh
index ba4d4f4..f61322a 100755
--- a/scripts/pulsar/generate_token_secret_key.sh
+++ b/scripts/pulsar/generate_token_secret_key.sh
@@ -20,9 +20,12 @@
 
 set -e
 
-CHART_HOME=$(unset CDPATH && cd $(dirname "${BASH_SOURCE[0]}")/../.. && pwd)
+SCRIPT_DIR="$(unset CDPATH && cd "$(dirname "${BASH_SOURCE[0]}")" &>/dev/null && pwd)"
+CHART_HOME=$(unset CDPATH && cd "$SCRIPT_DIR/../.." && pwd)
 cd ${CHART_HOME}
 
+source "${SCRIPT_DIR}/common_auth.sh"
+
 usage() {
     cat <<EOF
 This script is used to generate token secret key for a given pulsar helm release.
@@ -74,10 +77,6 @@ case $key in
 esac
 done
 
-source ${CHART_HOME}/scripts/pulsar/common_auth.sh
-
-pulsar::ensure_pulsarctl
-
 namespace=${namespace:-pulsar}
 release=${release:-pulsar-dev}
 local_cmd=${file:+-o yaml --dry-run=client >secret.yaml}
@@ -85,31 +84,38 @@ local_cmd=${file:+-o yaml --dry-run=client >secret.yaml}
 function pulsar::jwt::generate_symmetric_key() {
     local secret_name="${release}-token-symmetric-key"
 
-    tmpfile=$(mktemp)
-    trap "test -f $tmpfile && rm $tmpfile" RETURN
-    ${PULSARCTL_BIN} token create-secret-key --output-file ${tmpfile}
-    mv $tmpfile SECRETKEY
-    kubectl create secret generic ${secret_name} -n ${namespace} --from-file=SECRETKEY ${local:+ -o yaml --dry-run=client}
-    if [[ "${local}" != "true" ]]; then
-        rm SECRETKEY
+    local tmpdir=$(mktemp -d)
+    trap "test -d $tmpdir && rm -rf $tmpdir" RETURN
+    local tmpfile=${tmpdir}/SECRETKEY
+    docker run --rm -t ${PULSAR_TOKENS_CONTAINER_IMAGE} bin/pulsar tokens create-secret-key > "${tmpfile}"
+    kubectl create secret generic ${secret_name} -n ${namespace} --from-file=$tmpfile ${local:+ -o yaml --dry-run=client}
+    # if local is true, keep the file available for debugging purposes
+    if [[ "${local}" == "true" ]]; then
+        mv $tmpfile SECRETKEY
     fi
+    rm -rf $tmpdir
 }
 
 function pulsar::jwt::generate_asymmetric_key() {
     local secret_name="${release}-token-asymmetric-key"
 
-    privatekeytmpfile=$(mktemp)
-    trap "test -f $privatekeytmpfile && rm $privatekeytmpfile" RETURN
-    publickeytmpfile=$(mktemp)
-    trap "test -f $publickeytmpfile && rm $publickeytmpfile" RETURN
-    ${PULSARCTL_BIN} token create-key-pair -a RS256 --output-private-key ${privatekeytmpfile} --output-public-key ${publickeytmpfile}
-    mv $privatekeytmpfile PRIVATEKEY
-    mv $publickeytmpfile PUBLICKEY
-    kubectl create secret generic ${secret_name} -n ${namespace} --from-file=PRIVATEKEY --from-file=PUBLICKEY ${local:+ -o yaml --dry-run=client}
-    if [[ "${local}" != "true" ]]; then
-        rm PRIVATEKEY
-        rm PUBLICKEY
+    local tmpdir=$(mktemp -d)
+    trap "test -d $tmpdir && rm -rf $tmpdir" RETURN
+
+    privatekeytmpfile=${tmpdir}/PRIVATEKEY
+    publickeytmpfile=${tmpdir}/PUBLICKEY
+
+    # Generate key pair
+    docker run --user 0 --rm -t -v ${tmpdir}:/keydir ${PULSAR_TOKENS_CONTAINER_IMAGE} bin/pulsar tokens create-key-pair --output-private-key=/keydir/PRIVATEKEY --output-public-key=/keydir/PUBLICKEY
+
+    kubectl create secret generic ${secret_name} -n ${namespace} --from-file=$privatekeytmpfile --from-file=$publickeytmpfile ${local:+ -o yaml --dry-run=client}
+
+    # if local is true, keep the files available for debugging purposes
+    if [[ "${local}" == "true" ]]; then
+        mv $privatekeytmpfile PRIVATEKEY
+        mv $publickeytmpfile PUBLICKEY
     fi
+    rm -rf $tmpdir
 }
 
 if [[ "${symmetric}" == "true" ]]; then
diff --git a/scripts/pulsar/get_token.sh b/scripts/pulsar/get_token.sh
index 4f44365..31003ad 100755
--- a/scripts/pulsar/get_token.sh
+++ b/scripts/pulsar/get_token.sh
@@ -74,10 +74,6 @@ if [[ "x${role}" == "x" ]]; then
     exit 1
 fi
 
-source ${CHART_HOME}/scripts/pulsar/common_auth.sh
-
-pulsar::ensure_pulsarctl
-
 namespace=${namespace:-pulsar}
 release=${release:-pulsar-dev}