diff --git a/manifest/external-secrets/secret-store/secret-store.yaml b/manifest/external-secrets/secret-store/secret-store.yaml
new file mode 100644
index 0000000..f61a1ae
--- /dev/null
+++ b/manifest/external-secrets/secret-store/secret-store.yaml
@@ -0,0 +1,19 @@
+apiVersion: external-secrets.io/v1
+kind: ClusterSecretStore
+metadata:
+  name: vault-backend
+spec:
+  provider:
+    vault:
+      server: "http://vault.vault.svc.cluster.local:8200"
+      path: "kv"
+      # Version is the Vault KV secret engine version.
+      # This can be either "v1" or "v2", defaults to "v2"
+      version: "v2"
+      auth:
+        # points to a secret that contains a vault token
+        # https://www.vaultproject.io/docs/auth/token
+        tokenSecretRef:
+          name: "vault-token"
+          key: "token"
+          namespace: "external-secrets"
diff --git a/manifest/external-secrets/secret-store/vault-token-secret.yaml b/manifest/external-secrets/secret-store/vault-token-secret.yaml
new file mode 100644
index 0000000..7c6009b
--- /dev/null
+++ b/manifest/external-secrets/secret-store/vault-token-secret.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: vault-token
+  namespace: external-secrets # Must match the namespace defined in ClusterSecretStore tokenSecretRef
+type: Opaque
+data:
+  # Base64 encoded vault token. 
+  # You can generate this by running: echo -n "YOUR_VAULT_TOKEN" | base64
+  token: aHZzLmJyUHBpbmZPTlI5RU9BeHpNR0ZIaDBIaA== # placeholder
diff --git a/manifest/jenkins/values.yaml b/manifest/jenkins/values.yaml
index b95fbde..9c2b145 100644
--- a/manifest/jenkins/values.yaml
+++ b/manifest/jenkins/values.yaml
@@ -97,17 +97,17 @@ controller:
     # The default configuration uses this secret to configure an admin user
     # If you don't need that user or use a different security realm, then you can disable it
     # -- Must stay true so the controller mounts the admin Secret; when existingSecret is set, the chart does not create that Secret (supply it yourself or via externalSecret).
-    createSecret: true
+    createSecret: false
 
     # -- If set, chart does not create the admin Secret; you must create it (e.g. kubectl) or use externalSecret (requires ESO CRDs on the cluster).
     existingSecret: ""
 
     # -- Emits external-secrets.io/v1beta1 ExternalSecret (needs External Secrets Operator installed). Helm cannot talk to Vault without it or another sync mechanism.
     externalSecret:
-      enabled: false
+      enabled: true
       refreshInterval: 1h
       secretStoreRef:
-        name: vault
+        name: vault-backend
         kind: ClusterSecretStore
       remoteRef:
         # Vault KV v2 secret name under the store mount (your UI path: Secrets / kv / jenkins-admin-password)