diff --git a/manifest/jenkins/templates/jenkins-admin-externalsecret.yaml b/manifest/jenkins/templates/jenkins-admin-externalsecret.yaml
index 3cb3b70..79c6b3e 100644
--- a/manifest/jenkins/templates/jenkins-admin-externalsecret.yaml
+++ b/manifest/jenkins/templates/jenkins-admin-externalsecret.yaml
@@ -5,7 +5,7 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
-  name: {{ include "jenkins.fullname" . }}-admin-vault
+  name: {{ include "jenkins.fullname" . }}-admin
   namespace: {{ template "jenkins.namespace" . }}
   labels:
     {{- include "jenkins.labels" . | nindent 4 }}
diff --git a/manifest/jenkins/values.yaml b/manifest/jenkins/values.yaml
index d60a5c0..40114c9 100644
--- a/manifest/jenkins/values.yaml
+++ b/manifest/jenkins/values.yaml
@@ -99,12 +99,12 @@ controller:
     # -- Must stay true so the controller mounts the admin Secret; when existingSecret is set, the chart does not create that Secret (supply it yourself or via externalSecret).
     createSecret: true
 
-    # -- Kubernetes Secret name with keys userKey / passwordKey (created manually, by External Secrets, etc.). Example for Vault: jenkins-admin.
-    existingSecret: ""
+    # -- Must match ExternalSecret spec.target.name (default in templates/jenkins-admin-externalsecret.yaml is jenkins-admin). If empty, the chart mounts the release fullname Secret instead — not the Vault-backed one.
+    existingSecret: jenkins-admin
 
     # -- HashiCorp Vault → ExternalSecret → target Secret (requires External Secrets Operator + ClusterSecretStore). Helm does not read Vault.
     externalSecret:
-      enabled: false
+      enabled: true
       refreshInterval: 1h
       secretStoreRef:
         name: vault