diff --git a/k8s/apps/k8s-secrets/app.yaml b/k8s/apps/k8s-secrets/app.yaml
new file mode 100644
index 0000000..67d13ba
--- /dev/null
+++ b/k8s/apps/k8s-secrets/app.yaml
@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: k8s-secrets
+  namespace: argocd
+spec:
+  project: apps
+  destination:
+    namespace: k8s-secret
+    server: https://kubernetes.default.svc
+  source:
+    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
+    targetRevision: HEAD
+    path: k8s/apps/k8s-secrets
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
+
diff --git a/k8s/apps/k8s-secrets/deployment.yaml b/k8s/apps/k8s-secrets/deployment.yaml
new file mode 100644
index 0000000..08d8ce4
--- /dev/null
+++ b/k8s/apps/k8s-secrets/deployment.yaml
@@ -0,0 +1,61 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: secret-reader
+  labels:
+    app: secret-reader
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: secret-reader
+  template:
+    metadata:
+      labels:
+        app: secret-reader
+    spec:
+      serviceAccountName: secret-reader
+      nodeSelector:
+        kubernetes.io/os: linux
+      containers:
+      - name: secret-reader
+        image: secret-reader:latest
+        imagePullPolicy: IfNotPresent
+        args:
+          - "--secrets"
+          - "openai-creds"
+          - "--port"
+          - "3000"
+        ports:
+        - containerPort: 3000
+          name: http
+        env:
+        - name: RUST_LOG
+          value: "info"
+        resources:
+          requests:
+            memory: "64Mi"
+            cpu: "50m"
+          limits:
+            memory: "128Mi"
+            cpu: "100m"
+        livenessProbe:
+          httpGet:
+            path: /health
+            port: http
+          initialDelaySeconds: 10
+          periodSeconds: 10
+        readinessProbe:
+          httpGet:
+            path: /health
+            port: http
+          initialDelaySeconds: 5
+          periodSeconds: 5
+        securityContext:
+          runAsNonRoot: true
+          runAsUser: 1000
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          capabilities:
+            drop:
+            - ALL
diff --git a/k8s/apps/k8s-secrets/external-secret.yaml b/k8s/apps/k8s-secrets/external-secret.yaml
new file mode 100644
index 0000000..6f6c1b8
--- /dev/null
+++ b/k8s/apps/k8s-secrets/external-secret.yaml
@@ -0,0 +1,44 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: openai-creds
+spec:
+  target:
+    name: openai-creds
+    deletionPolicy: Delete
+    template:
+      type: Opaque
+      data:
+        USER: |-
+          {{ .user }}
+        PASS: |-
+          {{ .pass }}
+        TOTP: |-
+          {{ .totp }}
+  data:
+    - secretKey: user
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: a485f323-fd47-40ee-a5cf-40891b1f963c
+        property: login.username
+    - secretKey: pass
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: a485f323-fd47-40ee-a5cf-40891b1f963c
+        property: login.password
+    - secretKey: totp
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: a485f323-fd47-40ee-a5cf-40891b1f963c
+        property: login.totp
+
diff --git a/k8s/apps/k8s-secrets/rbac.yaml b/k8s/apps/k8s-secrets/rbac.yaml
new file mode 100644
index 0000000..c65d158
--- /dev/null
+++ b/k8s/apps/k8s-secrets/rbac.yaml
@@ -0,0 +1,20 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: secret-reader
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: secret-reader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: secret-reader
+subjects:
+- kind: ServiceAccount
+  name: secret-reader
diff --git a/k8s/apps/k8s-secrets/service-account.yaml b/k8s/apps/k8s-secrets/service-account.yaml
new file mode 100644
index 0000000..b1aec99
--- /dev/null
+++ b/k8s/apps/k8s-secrets/service-account.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: secret-reader
+  labels:
+    app: secret-reader
diff --git a/k8s/apps/k8s-secrets/service.yaml b/k8s/apps/k8s-secrets/service.yaml
new file mode 100644
index 0000000..ba5b6b9
--- /dev/null
+++ b/k8s/apps/k8s-secrets/service.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: secret-reader
+  labels:
+    app: secret-reader
+spec:
+  type: ClusterIP
+  selector:
+    app: secret-reader
+  ports:
+  - port: 80
+    targetPort: 3000
+    protocol: TCP
+    name: http