diff --git a/gitops/home-kubernetes/external-secrets/cloudsecretstore-vault.yaml b/gitops/home-kubernetes/external-secrets/cloudsecretstore-vault.yaml
new file mode 100644
index 0000000..79e51c4
--- /dev/null
+++ b/gitops/home-kubernetes/external-secrets/cloudsecretstore-vault.yaml
@@ -0,0 +1,18 @@
+apiVersion: external-secrets.io/v1
+kind: ClusterSecretStore
+metadata:
+  name: vault-backend
+  namespace: external-secrets
+spec:
+  provider:
+    vault:
+      server: "https://vault.hrajfrisbee.cz:8200"
+      path: "secret"
+      version: "v2"
+      auth:
+        appRole:
+          path: "approle"
+          roleId: "8833d0f8-d35d-d7ea-658b-c27837d121ab"  # or reference a secret
+          secretRef:
+            name: vault-approle
+            key: secret-id
\ No newline at end of file
diff --git a/gitops/home-kubernetes/external-secrets/helmrelease.yaml b/gitops/home-kubernetes/external-secrets/helmrelease.yaml
index 70491cc..747d1f0 100644
--- a/gitops/home-kubernetes/external-secrets/helmrelease.yaml
+++ b/gitops/home-kubernetes/external-secrets/helmrelease.yaml
@@ -21,7 +21,7 @@ spec:
     remediation:
       retries: 3
   values:
-    replicaCount: 2
+    replicaCount: 1
     leaderElect: true
     
     # Resources (adjust to your cluster)
@@ -33,7 +33,7 @@ spec:
         memory: 256Mi
     
     webhook:
-      replicaCount: 2
+      replicaCount: 1
       resources:
         requests:
           cpu: 25m
@@ -45,7 +45,7 @@ spec:
         minAvailable: 1
 
     certController:
-      replicaCount: 2
+      replicaCount: 1
       resources:
         requests:
           cpu: 25m