diff --git a/argo/miniflux/values.yaml b/argo/miniflux/values.yaml
index d0b36a9..2a63a7f 100644
--- a/argo/miniflux/values.yaml
+++ b/argo/miniflux/values.yaml
@@ -6,13 +6,16 @@ serviceAccountName: miniflux
 externalSecrets:
   secretStoreName: miniflux
   vaultRole: miniflux
-  secrets:
-    - secretKey: miniflux_admin_pw
-      key: miniflux
-      property: miniflux_admin_pw
-    - secretKey: miniflux_db_url
-      key: miniflux
-      property: miniflux_db_url
+  secretPaths:
+    - name: miniflux
+      secrets:
+      - secretKey: miniflux_admin_pw
+        key: miniflux
+        property: miniflux_admin_pw
+      - secretKey: miniflux_db_url
+        key: miniflux
+        property: miniflux_db_url
+
 istio:
   commonName: rss.minhas.io
   ingressSelector: ingressgateway
diff --git a/argo/pihole/values.yaml b/argo/pihole/values.yaml
index 1365b9c..f67b7ea 100644
--- a/argo/pihole/values.yaml
+++ b/argo/pihole/values.yaml
@@ -6,10 +6,12 @@ serviceAccountName: default
 externalSecrets:
   secretStoreName: default
   vaultRole: external-dns
-  secrets:
-    - secretKey: pihole-password
-      key: external-dns
-      property: pihole-password
+  secretPaths:
+    - name: pihole
+      secrets:
+      - secretKey: pihole-password
+        key: external-dns
+        property: pihole-password
 
 # app
 serviceDns:
diff --git a/argo/secrets/templates/external-secrets.yaml b/argo/secrets/templates/external-secrets.yaml
index c043782..2d1a24e 100644
--- a/argo/secrets/templates/external-secrets.yaml
+++ b/argo/secrets/templates/external-secrets.yaml
@@ -59,18 +59,19 @@ spec:
           secretRef:
             name: "serviceaccounttoken"
 ...
+{{- range .Values.externalSecrets.secretPaths }}
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
-  name: {{ .Values.name }}
-  namespace: {{ .Values.namespace }}
+  name: {{ .name }}
+  namespace: {{ $.Values.namespace }}
 spec:
   secretStoreRef:
-    name: {{ .Values.externalSecrets.secretStoreName }}
+    name: {{ $.Values.externalSecrets.secretStoreName }}
     kind: SecretStore
   data:
-{{- range .Values.externalSecrets.secrets }}
+{{- range .secrets }}
   - secretKey: {{ .secretKey }}
     remoteRef:
       conversionStrategy: Default
@@ -79,4 +80,5 @@ spec:
       property: {{ .property }}
 {{- end }}
 ...
+{{- end }}
 {{ end }}
diff --git a/argo/vault-config-operator/values.yaml b/argo/vault-config-operator/values.yaml
index 29b6541..5c58fa9 100644
--- a/argo/vault-config-operator/values.yaml
+++ b/argo/vault-config-operator/values.yaml
@@ -5,10 +5,12 @@ serviceAccountName: vault-config-operator
 externalSecrets:
   secretStoreName: vault-config-operator
   vaultRole: vault-config-operator
-  secrets:
-    - secretKey: ca.crt
-      key: vault-config-operator
-      property: ca.crt
+  secretPaths:
+    - name: vault-config-operator
+      secrets:
+      - secretKey: ca.crt
+        key: vault-config-operator
+        property: ca.crt
 
 enableCertManager: true
 
diff --git a/helm/setup/003-cert-manager/external-secrets.yaml b/helm/apps/cert-manager-stack/external-secrets.yaml
similarity index 100%
rename from helm/setup/003-cert-manager/external-secrets.yaml
rename to helm/apps/cert-manager-stack/external-secrets.yaml
diff --git a/helm/setup/003-cert-manager/install.sh b/helm/apps/cert-manager-stack/install.sh
similarity index 100%
rename from helm/setup/003-cert-manager/install.sh
rename to helm/apps/cert-manager-stack/install.sh
diff --git a/helm/setup/003-cert-manager/issuers.yaml b/helm/apps/cert-manager-stack/issuers.yaml
similarity index 100%
rename from helm/setup/003-cert-manager/issuers.yaml
rename to helm/apps/cert-manager-stack/issuers.yaml