Add external secret configuration for Jenkins admin credentials in values.yaml and create ExternalSecret template for Vault integration.

manifest/jenkins/values.yaml

@@ -96,11 +96,26 @@ controller:
 
     # The default configuration uses this secret to configure an admin user
     # If you don't need that user or use a different security realm, then you can disable it
-    # -- Create secret for admin user
+    # -- Must stay true so the controller mounts the admin Secret; when existingSecret is set, the chart does not create that Secret (supply it yourself or via externalSecret).
     createSecret: true
 
-    # -- The name of an existing secret containing the admin credentials
+    # -- Kubernetes Secret name with keys userKey / passwordKey (created manually, by External Secrets, etc.). Example for Vault: jenkins-admin.
     existingSecret: ""
+
+    # -- HashiCorp Vault → ExternalSecret → target Secret (requires External Secrets Operator + ClusterSecretStore). Helm does not read Vault.
+    externalSecret:
+      enabled: false
+      refreshInterval: 1h
+      secretStoreRef:
+        name: vault
+        kind: ClusterSecretStore
+      remoteRef:
+        # Vault KV v2 secret name under the store mount (your UI path: Secrets / kv / jenkins-admin-password)
+        key: jenkins-admin-password
+        # Field name inside that Vault secret (check the Secret tab in the UI)
+        property: password
+        # Must match secretKey below; exposed to the template as .password
+        secretKey: password
   # -- Email address for the administrator of the Jenkins instance
   jenkinsAdminEmail: