diff --git a/template/stacks/core/argocd.yaml b/template/stacks/core/argocd.yaml
index 755b031..08828c9 100644
--- a/template/stacks/core/argocd.yaml
+++ b/template/stacks/core/argocd.yaml
@@ -28,3 +28,6 @@ spec:
     - repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}}
       targetRevision: HEAD
       ref: values
+    - repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}}
+      targetRevision: HEAD
+      path: "{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/core/argocd/manifests"
diff --git a/template/stacks/ref-implementation/openbao.yaml b/template/stacks/ref-implementation/openbao.yaml
index 08266e8..8715cec 100644
--- a/template/stacks/ref-implementation/openbao.yaml
+++ b/template/stacks/ref-implementation/openbao.yaml
@@ -27,6 +27,9 @@ spec:
     - repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}}
       targetRevision: HEAD
       ref: values
+    - repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}}
+      targetRevision: HEAD
+      path: "{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/ref-implementation/openbao/manifests"
   ignoreDifferences:
     - group: admissionregistration.k8s.io
       kind: MutatingWebhookConfiguration
diff --git a/template/stacks/ref-implementation/openbao/manifests/role.yaml b/template/stacks/ref-implementation/openbao/manifests/role.yaml
new file mode 100644
index 0000000..d2f66a9
--- /dev/null
+++ b/template/stacks/ref-implementation/openbao/manifests/role.yaml
@@ -0,0 +1,9 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: vault-token-role
+  namespace: openbao
+rules:
+  - apiGroups: [""] # "" indicates the core API group
+    resources: ["secrets"]
+    verbs: ["create"]
diff --git a/template/stacks/ref-implementation/openbao/manifests/rolebinding.yaml b/template/stacks/ref-implementation/openbao/manifests/rolebinding.yaml
new file mode 100644
index 0000000..625acd8
--- /dev/null
+++ b/template/stacks/ref-implementation/openbao/manifests/rolebinding.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: vault-token-rolebinding
+  namespace: openbao
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: vault-token-role
+subjects:
+  - kind: ServiceAccount
+    name: openbao
+    namespace: openbao
diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml
index 0ff72cf..96434e8 100644
--- a/template/stacks/ref-implementation/openbao/values.yaml
+++ b/template/stacks/ref-implementation/openbao/values.yaml
@@ -3,6 +3,8 @@ server:
     - sh
     - -c
     - |
+      set -e
+
       sleep 10
       bao operator init >> /tmp/init.txt
       cat /tmp/init.txt | grep "Key " | awk '{print $NF}' | xargs -I{} bao operator unseal {}
@@ -13,5 +15,17 @@ server:
       echo $(grep "Unseal Key 4:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key4.txt
       echo $(grep "Unseal Key 5:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key5.txt
       rm /tmp/init.txt
+
+      if [[ "$(uname -m)" == "x86_64" ]]; then
+        wget "https://dl.k8s.io/release/$(wget https://dl.k8s.io/release/stable.txt -q -O -)/bin/linux/amd64/kubectl" -O /tmp/kubectl_eso
+      else
+        wget "https://dl.k8s.io/release/$(wget https://dl.k8s.io/release/stable.txt -q -O -)/bin/linux/arm64/kubectl" -O /tmp/kubectl_eso
+      fi
+      chmod +x /tmp/kubectl_eso
+
+      kubectl create secret generic vault-token --from-literal=token="$(cat /openbao/data/initial_token.txt)" -n openbao
+
+      rm /tmp/kubectl_eso
+
 ui:
   enabled: true