diff --git a/README.md b/README.md
index f139916..8c24fdf 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,96 @@
 # k8s-configs
 
+## Настройка внешних секретов
+
+[Ссылка на офф. доку](https://bank-vaults.dev)
+
+Для создания vault injector нужно установить helm
+
+```bash
+helm upgrade -n vault-infra --install --wait vault-secrets-webhook oci://ghcr.io/bank-vaults/helm-charts/vault-secrets-webhook
+```
+
+Далее создать роль секрет и рольбиндинг
+
+```bash
+kubectl apply -f clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-secrets-webhook/vault-service-account.yaml
+kubectl apply -f clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-secrets-webhook/vault-cluster_role_binding.yaml
+kubectl apply -f clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-secrets-webhook/vault-secret.yaml
+```
+
+Настройка со стороны vault
+
+```bash
+vault auth enable -path=avroid-office kubernetes
+
+TOKEN=$(kubectl get secret vault -n vault-infra -o jsonpath="{.data.token}" | base64 --decode)
+CA_CERT=$(kubectl get secret vault -n vault-infra -o jsonpath="{.data['ca\.crt']}" | base64 --decode)
+ISSUER=$(kubectl get --raw /.well-known/openid-configuration | jq '.issuer')
+K8S_CLUSTER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')
+
+vault write auth/avroid-office/config \
+  kubernetes_host="${K8S_CLUSTER}" \
+  token_reviewer_jwt="${TOKEN}" \
+  kubernetes_ca_cert="${CA_CERT}" \
+  issuer="${ISSUER}" \
+  disable_local_ca_jwt="true"
+```
+
+Далее создаем app роль - на каждый namespace нужно создавать свою роль с одноименным названием.
+
+```bash
+vault write auth/avroid-office/role/tavro-cloud-dev \
+  bound_service_account_names="*" \
+  bound_service_account_namespaces="tavro-cloud-dev" \
+  policies="prj-tavro-cloud-backend" \
+  ttl="24h"
+```
+
+policies - содержит список vault полиси, если нужно добавить новый, то просто добавляем и выполняем эту команду
+
+ВНИМАНИЕ: для нормальной работы должен быть создан service-account в каждом namespace
+
+для этого просто нужно выполнить
+
+```bash
+# не забудь поменять в файле namespace свой
+cp clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-secrets-webhook/vault-service-account.yaml ./<your_namespace>
+# далее меняем в файле имя на свой namespace и запускаем
+kubectl apply -f vault-service-account.yaml
+```
+
+Простой пример для тестирования - в логах вы увидите свой секрет
+
+```yaml
+kubectl apply -n sandbox -f - <<"EOF"
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: vault-test
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: vault
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: vault
+      annotations:
+        vault.security.banzaicloud.io/vault-addr: "https://vault.avroid.tech" # внешний адрес vault
+        vault.security.banzaicloud.io/vault-role: "vault-k8s-role"            # роль из под которой будем ходить в vault
+        vault.security.banzaicloud.io/vault-skip-verify: "false"              # проверять сертификат или нет на стороне vault
+#       vault.security.banzaicloud.io/vault-tls-secret: "vault-tls"           # сертификат для vault если он самоподписанный
+#       vault.security.banzaicloud.io/vault-agent: "false"                    # запускать акента который будет отслеживать изменения секрета
+        vault.security.banzaicloud.io/vault-path: "avroid-office"             # название kubernetes аутентификации в vault
+    spec:
+      serviceAccountName: vault # имя сервиса аккаунта - должен быть в каждом namespace
+      containers:
+      - name: alpine
+        image: alpine
+        command: ["sh", "-c", "echo $POSTGRES_DSN && echo going to sleep... && sleep 10000"]
+        env:
+        - name: POSTGRES_DSN # переменная окружения куда попадет секрет
+          value: vault:prj-tavro-cloud-backend/data/k8s/avroid.local/ns-tarvo-cloud-dev/svc-messenger-core-api#POSTGRES_DSN # путь до секрета
+EOF
+```
diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/.rbac/jenkins-harbor-secret.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/.rbac/jenkins-harbor-secret.yaml
new file mode 100644
index 0000000..076f943
--- /dev/null
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/.rbac/jenkins-harbor-secret.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: manual
+  name: harbor-registry-secret
+  namespace: jenkins-builds
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3IuYXZyb2lkLnRlY2giOnsidXNlcm5hbWUiOiJyb2JvdCRjaSIsInBhc3N3b3JkIjoiSFJqOWlIQXh2VUl1eVRab2d1S1BkR21US082UjlkUnoiLCJhdXRoIjoiY205aWIzUWtZMms2U0ZKcU9XbElRWGgyVlVsMWVWUmFiMmQxUzFCa1IyMVVTMDgyVWpsa1Vubz0ifX19
diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/.rbac/jenkins-role-binding.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/.rbac/jenkins-role-binding.yaml
new file mode 100644
index 0000000..1087560
--- /dev/null
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/.rbac/jenkins-role-binding.yaml
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: manual
+  name: jenkins
+  namespace: jenkins-builds
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: jenkins
+subjects:
+  - kind: ServiceAccount
+    name: jenkins
diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/.rbac/jenkins-role.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/.rbac/jenkins-role.yaml
new file mode 100644
index 0000000..87941b7
--- /dev/null
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/.rbac/jenkins-role.yaml
@@ -0,0 +1,57 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: manual
+  name: jenkins
+  namespace: jenkins-builds
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - persistentvolumes
+  - persistentvolumeclaims
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/exec
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/log
+  - storageclass
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  - nodes
+  verbs:
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  - nodes
+  verbs:
+  - get
diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/.rbac/jenkins-secret.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/.rbac/jenkins-secret.yaml
new file mode 100644
index 0000000..6c54edc
--- /dev/null
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/.rbac/jenkins-secret.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: jenkins
+  namespace: jenkins-builds
+  annotations:
+    kubernetes.io/service-account.name: jenkins
+  labels:
+    name: jenkins-builds
+    app.kubernetes.io/managed-by: manual
+type: kubernetes.io/service-account-token
diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/.rbac/jenkins-service-account.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/.rbac/jenkins-service-account.yaml
new file mode 100644
index 0000000..2ba0cff
--- /dev/null
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/.rbac/jenkins-service-account.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    name: jenkins
+    app.kubernetes.io/managed-by: manual
+  name: jenkins
+  namespace: jenkins-builds
diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/jenkins-builds-namespace.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/jenkins-builds-namespace.yaml
new file mode 100644
index 0000000..6232a24
--- /dev/null
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/jenkins-builds-namespace.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: jenkins-builds
+  labels:
+    name: jenkins-builds
+    app.kubernetes.io/managed-by: manual
+  annotations:
+    scheduler.alpha.kubernetes.io/node-selector: node-role.kubernetes.io/build=
diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/jenkins-deploy-service-account.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/jenkins-deploy-service-account.yaml
new file mode 100644
index 0000000..c7727fc
--- /dev/null
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/jenkins-deploy-service-account.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: manual
+  name: jenkins-deploy
+  namespace: jenkins-builds
+imagePullSecrets:
+  - name: harbor-registry-secret
diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/sandbox/.rbac/vault-service-account.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/sandbox/.rbac/vault-service-account.yaml
new file mode 100644
index 0000000..e56e866
--- /dev/null
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/sandbox/.rbac/vault-service-account.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/name: serviceaccount
+    app.kubernetes.io/instance: vault-sa
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: vault-operator
+    app.kubernetes.io/part-of: vault-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: vault
+  namespace: sandbox
diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/sandbox/sandbox-namespace.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/sandbox/sandbox-namespace.yaml
new file mode 100644
index 0000000..3f24def
--- /dev/null
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/sandbox/sandbox-namespace.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: sandbox
+  labels:
+    name: sandbox
+    app.kubernetes.io/managed-by: manual
+  annotations:
+    scheduler.alpha.kubernetes.io/node-selector: node-role.kubernetes.io/worker=
diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/sandbox/sandbox-resourcequota.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/sandbox/sandbox-resourcequota.yaml
new file mode 100644
index 0000000..8ae1bed
--- /dev/null
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/sandbox/sandbox-resourcequota.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: sandbox
+  labels:
+    app.kubernetes.io/managed-by: manual
+spec:
+  hard:
+    requests.cpu: "8"
+    requests.memory: 24Gi
+    limits.cpu: "16"
+    limits.memory: 32Gi
diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/.rbac/ingress-certs-secret.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/.rbac/ingress-certs-secret.yaml
new file mode 100644
index 0000000..164e503
--- /dev/null
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/.rbac/ingress-certs-secret.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: avroid-tech-tls
+  namespace: tavro-cloud-dev
+data:
+# base64 encoded cert see values in vault. Don't push it to git!
+  tls.crt: ""
+  tls.key: ""
+type: kubernetes.io/tls
diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/.rbac/jenkins-deploy-tavro-cloud-dev-role-binding.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/.rbac/jenkins-deploy-tavro-cloud-dev-role-binding.yaml
new file mode 100644
index 0000000..7db44f0
--- /dev/null
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/.rbac/jenkins-deploy-tavro-cloud-dev-role-binding.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: manual
+  name: jenkins-deploy-tavro-cloud-dev
+  namespace: tavro-cloud-dev
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: tavro-cloud-dev-full
+subjects:
+  - kind: ServiceAccount
+    name: jenkins-deploy
+    namespace: jenkins-builds
diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/.rbac/jenkins-harbor-secret.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/.rbac/jenkins-harbor-secret.yaml
new file mode 100644
index 0000000..bf18890
--- /dev/null
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/.rbac/jenkins-harbor-secret.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: manual
+  name: harbor-registry-secret
+  namespace: tavro-cloud-dev
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3IuYXZyb2lkLnRlY2giOnsidXNlcm5hbWUiOiJyb2JvdCRjaSIsInBhc3N3b3JkIjoiSFJqOWlIQXh2VUl1eVRab2d1S1BkR21US082UjlkUnoiLCJhdXRoIjoiY205aWIzUWtZMms2U0ZKcU9XbElRWGgyVlVsMWVWUmFiMmQxUzFCa1IyMVVTMDgyVWpsa1Vubz0ifX19
diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/.rbac/tavro-cloud-dev-role.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/.rbac/tavro-cloud-dev-role.yaml
new file mode 100644
index 0000000..2f99c30
--- /dev/null
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/.rbac/tavro-cloud-dev-role.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: tavro-cloud-dev-full
+  namespace: tavro-cloud-dev
+  labels:
+    app.kubernetes.io/managed-by: manual
+rules:
+- apiGroups:
+  - '*'
+  resources:
+  - '*'
+  verbs:
+  - '*'
diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/.rbac/vault-service-account.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/.rbac/vault-service-account.yaml
new file mode 100644
index 0000000..4729680
--- /dev/null
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/.rbac/vault-service-account.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/name: serviceaccount
+    app.kubernetes.io/instance: vault-sa
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: vault-operator
+    app.kubernetes.io/part-of: vault-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: vault
+  namespace: tavro-cloud-dev
diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/cloud-messenger-core-api/README.md b/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/cloud-messenger-core-api/README.md
new file mode 100644
index 0000000..c9fa5fe
--- /dev/null
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/cloud-messenger-core-api/README.md
@@ -0,0 +1,8 @@
+# Install
+
+Для установки нужно забрать values и использовать их. Тут указан только пример, так как все это делается через jenkins
+
+```bash
+curl -o values.yaml https://git.avroid.tech/Apps-Backend/cloud-messenger-core-api/src/branch/develop/.helm/values.dev.yaml
+helm upgrade --install -f values.yaml cloud-messenger-core-api avroid/cloud-messenger-core-api
+```
diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/openresty/values.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/openresty/values.yaml
new file mode 100644
index 0000000..f764f23
--- /dev/null
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/openresty/values.yaml
@@ -0,0 +1 @@
+# see https://git.avroid.tech/Apps-Backend/helm-values/src/branch/master/avroid.local/api-gateway/openresty/values.yaml
diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/tavro-cloud-dev-namespace.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/tavro-cloud-dev-namespace.yaml
new file mode 100644
index 0000000..2a67ec0
--- /dev/null
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/tavro-cloud-dev-namespace.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: tavro-cloud-dev
+  labels:
+    name: tavro-cloud-dev
+    app.kubernetes.io/managed-by: manual
+  annotations:
+    scheduler.alpha.kubernetes.io/node-selector: node-role.kubernetes.io/worker=
diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/tavro-cloud-dev-resourcequota.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/tavro-cloud-dev-resourcequota.yaml
new file mode 100644
index 0000000..cb29214
--- /dev/null
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/tavro-cloud-dev-resourcequota.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: tavro-cloud-dev
+  labels:
+    app.kubernetes.io/managed-by: manual
+spec:
+  hard:
+    requests.cpu: "8"
+    requests.memory: 24Gi
+    limits.cpu: "16"
+    limits.memory: 32Gi
diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-infra-namespace.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-infra-namespace.yaml
new file mode 100644
index 0000000..911f1cb
--- /dev/null
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-infra-namespace.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: vault-infra
+  labels:
+    name: vault-infra
+    app.kubernetes.io/managed-by: manual
+  annotations:
+    scheduler.alpha.kubernetes.io/node-selector: node-role.kubernetes.io/worker=
diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-secrets-webhook/values.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-secrets-webhook/values.yaml
new file mode 100644
index 0000000..8daf9f8
--- /dev/null
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-secrets-webhook/values.yaml
@@ -0,0 +1 @@
+# helm upgrade -n vault-infra --install --wait vault-secrets-webhook oci://ghcr.io/bank-vaults/helm-charts/vault-secrets-webhook
diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-secrets-webhook/vault-cluster_role_binding.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-secrets-webhook/vault-cluster_role_binding.yaml
new file mode 100644
index 0000000..cd7c284
--- /dev/null
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-secrets-webhook/vault-cluster_role_binding.yaml
@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: clusterrolebinding
+    app.kubernetes.io/instance: manager-rolebinding
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: vault-operator
+    app.kubernetes.io/part-of: vault-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: vault-auth-delegator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  name: vault
+  namespace: vault-infra
diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-secrets-webhook/vault-secret.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-secrets-webhook/vault-secret.yaml
new file mode 100644
index 0000000..7bf1e03
--- /dev/null
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-secrets-webhook/vault-secret.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: vault
+  namespace: vault-infra
+  annotations:
+    kubernetes.io/service-account.name: vault
+type: kubernetes.io/service-account-token
diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-secrets-webhook/vault-service-account.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-secrets-webhook/vault-service-account.yaml
new file mode 100644
index 0000000..a6d6035
--- /dev/null
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-secrets-webhook/vault-service-account.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/name: serviceaccount
+    app.kubernetes.io/instance: vault-sa
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: vault-operator
+    app.kubernetes.io/part-of: vault-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: vault
+  namespace: vault-infra