diff --git a/Chart.yaml b/Chart.yaml
index 6681a78..410937d 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -23,8 +23,8 @@ description: |
       Git).
 
 type: application
-version: 0.6.0
-appVersion: "0.6.0"
+version: 0.6.1
+appVersion: "0.6.1"
 
 dependencies:
   - name: cert-manager
diff --git a/values.yaml b/values.yaml
index cd34092..c84026a 100644
--- a/values.yaml
+++ b/values.yaml
@@ -277,5 +277,21 @@ externalSecrets:
 # (Chart.yaml dependency name = "external-secrets"). CRDs install on
 # first apply. Resource limits conservative — ESO is event-driven
 # and idle most of the time.
+#
+# fullnameOverride locks the SA + Deployment + Service names to plain
+# "external-secrets" (no <release-name>- prefix), so the OpenBao role
+# binding and our ClusterSecretStore.serviceAccountRef can reference
+# a stable name across every cluster.
 external-secrets:
   installCRDs: true
+  fullnameOverride: "external-secrets"
+  serviceAccount:
+    name: external-secrets
+  webhook:
+    fullnameOverride: "external-secrets-webhook"
+    serviceAccount:
+      name: external-secrets-webhook
+  certController:
+    fullnameOverride: "external-secrets-cert-controller"
+    serviceAccount:
+      name: external-secrets-cert-controller