Add external secret configuration for Jenkins admin credentials in values.yaml and create ExternalSecret template for Vault integration.

manifest/jenkins/templates/jenkins-admin-externalsecret.yaml

@@ -0,0 +1,31 @@
+{{- if .Values.controller.admin.externalSecret.enabled }}
+{{- $es := .Values.controller.admin.externalSecret }}
+{{- $rr := $es.remoteRef | default dict }}
+{{- $sk := $rr.secretKey | default "password" }}
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: {{ include "jenkins.fullname" . }}-admin-vault
+  namespace: {{ template "jenkins.namespace" . }}
+  labels:
+    {{- include "jenkins.labels" . | nindent 4 }}
+spec:
+  refreshInterval: {{ $es.refreshInterval | default "1h" | quote }}
+  secretStoreRef:
+    name: {{ $es.secretStoreRef.name }}
+    kind: {{ $es.secretStoreRef.kind | default "ClusterSecretStore" }}
+  target:
+    name: {{ .Values.controller.admin.existingSecret | default "jenkins-admin" | quote }}
+    creationPolicy: Owner
+    template:
+      engineVersion: v2
+      mergePolicy: Replace
+      data:
+        {{ .Values.controller.admin.userKey | default "jenkins-admin-user" | quote }}: {{ .Values.controller.admin.username | default "admin" | quote }}
+        {{ .Values.controller.admin.passwordKey | default "jenkins-admin-password" | quote }}: {{ printf "{{ .%s }}" $sk | quote }}
+  data:
+    - secretKey: {{ $sk | quote }}
+      remoteRef:
+        key: {{ $rr.key | quote }}
+        property: {{ $rr.property | quote }}
+{{- end }}

manifest/jenkins/values.yaml

@@ -96,11 +96,26 @@ controller:
 
     # The default configuration uses this secret to configure an admin user
     # If you don't need that user or use a different security realm, then you can disable it
-    # -- Create secret for admin user
+    # -- Must stay true so the controller mounts the admin Secret; when existingSecret is set, the chart does not create that Secret (supply it yourself or via externalSecret).
     createSecret: true
 
-    # -- The name of an existing secret containing the admin credentials
+    # -- Kubernetes Secret name with keys userKey / passwordKey (created manually, by External Secrets, etc.). Example for Vault: jenkins-admin.
     existingSecret: ""
+
+    # -- HashiCorp Vault → ExternalSecret → target Secret (requires External Secrets Operator + ClusterSecretStore). Helm does not read Vault.
+    externalSecret:
+      enabled: false
+      refreshInterval: 1h
+      secretStoreRef:
+        name: vault
+        kind: ClusterSecretStore
+      remoteRef:
+        # Vault KV v2 secret name under the store mount (your UI path: Secrets / kv / jenkins-admin-password)
+        key: jenkins-admin-password
+        # Field name inside that Vault secret (check the Secret tab in the UI)
+        property: password
+        # Must match secretKey below; exposed to the template as .password
+        secretKey: password
   # -- Email address for the administrator of the Jenkins instance
   jenkinsAdminEmail: