diff --git a/Chart.yaml b/Chart.yaml
index 410937d..cb1c85e 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -23,8 +23,8 @@ description: |
       Git).
 
 type: application
-version: 0.6.1
-appVersion: "0.6.1"
+version: 0.6.2
+appVersion: "0.6.2"
 
 dependencies:
   - name: cert-manager
diff --git a/templates/openbao-secretstore.yaml b/templates/openbao-secretstore.yaml
index a1143c4..c440057 100644
--- a/templates/openbao-secretstore.yaml
+++ b/templates/openbao-secretstore.yaml
@@ -27,7 +27,11 @@ spec:
           mountPath: {{ .Values.externalSecrets.openbao.mountPath | quote }}
           role: {{ .Values.externalSecrets.openbao.role | default "eso" | quote }}
           serviceAccountRef:
-            name: external-secrets
+            # ESO subchart names its SA `<release>-external-secrets`
+            # (no fullnameOverride — see values.yaml). The OpenBao
+            # role's bound_service_account_names must match this
+            # exact name (e.g. `qsoft-platform-external-secrets`).
+            name: "{{ .Release.Name }}-external-secrets"
             namespace: odoosky-system
 {{- end }}
 {{- end }}
diff --git a/values.yaml b/values.yaml
index c84026a..02a10f7 100644
--- a/values.yaml
+++ b/values.yaml
@@ -278,20 +278,10 @@ externalSecrets:
 # first apply. Resource limits conservative — ESO is event-driven
 # and idle most of the time.
 #
-# fullnameOverride locks the SA + Deployment + Service names to plain
-# "external-secrets" (no <release-name>- prefix), so the OpenBao role
-# binding and our ClusterSecretStore.serviceAccountRef can reference
-# a stable name across every cluster.
+# We keep the subchart's default release-prefixed naming
+# (`<release>-external-secrets`) — i.e., we DON'T set
+# fullnameOverride. The ClusterSecretStore manifest references the
+# SA via `{{ .Release.Name }}-external-secrets` so the name resolves
+# correctly per-cluster.
 external-secrets:
   installCRDs: true
-  fullnameOverride: "external-secrets"
-  serviceAccount:
-    name: external-secrets
-  webhook:
-    fullnameOverride: "external-secrets-webhook"
-    serviceAccount:
-      name: external-secrets-webhook
-  certController:
-    fullnameOverride: "external-secrets-cert-controller"
-    serviceAccount:
-      name: external-secrets-cert-controller