diff --git a/infrastructure/cert-manager/external-secret.yaml b/infrastructure/cert-manager/external-secret.yaml
new file mode 100644
index 0000000..d21dbb6
--- /dev/null
+++ b/infrastructure/cert-manager/external-secret.yaml
@@ -0,0 +1,18 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: cloudflare-api-token-secret
+  namespace: cert-manager # Hier braucht es Cert-Manager
+spec:
+  refreshInterval: "1h"
+  secretStoreRef:
+    name: vault-backend
+    kind: ClusterSecretStore
+  target:
+    name: cloudflare-api-token-secret # Name des K8s Secrets
+    creationPolicy: Owner
+  data:
+  - secretKey: api-token # Key im K8s Secret
+    remoteRef:
+      key: secret/infrastructure/opnsense # Pfad im Vault
+      property: dns_api_token # Key im Vault
diff --git a/infrastructure/external-secrets-app.yaml b/infrastructure/external-secrets-app.yaml
new file mode 100644
index 0000000..8778406
--- /dev/null
+++ b/infrastructure/external-secrets-app.yaml
@@ -0,0 +1,25 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: external-secrets
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "-2" # Muss VOR Cert-Manager und Apps da sein
+spec:
+  project: default
+  source:
+    repoURL: https://charts.external-secrets.io
+    chart: external-secrets
+    targetRevision: 0.9.11
+    helm:
+      values: |
+        installCRDs: true
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: external-secrets
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/infrastructure/external-secrets-config-app.yaml b/infrastructure/external-secrets-config-app.yaml
new file mode 100644
index 0000000..a14ae47
--- /dev/null
+++ b/infrastructure/external-secrets-config-app.yaml
@@ -0,0 +1,18 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: external-secrets-config
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://git.cloud-infra.prod.openmailserver.de/stabify/gitops.git
+    targetRevision: HEAD
+    path: infrastructure/external-secrets
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: external-secrets
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
diff --git a/infrastructure/external-secrets/cluster-secret-store.yaml b/infrastructure/external-secrets/cluster-secret-store.yaml
new file mode 100644
index 0000000..081b148
--- /dev/null
+++ b/infrastructure/external-secrets/cluster-secret-store.yaml
@@ -0,0 +1,17 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: vault-backend
+spec:
+  provider:
+    vault:
+      server: "http://10.100.30.11:8200" # Interne IP vom Docker Host
+      path: "secret"
+      version: "v2"
+      auth:
+        kubernetes:
+          mountPath: "kubernetes"
+          role: "external-secrets-role"
+          serviceAccountRef:
+            name: external-secrets
+            namespace: external-secrets