diff --git a/appsets/external-secrets.yaml b/appsets/external-secrets.yaml
new file mode 100644
index 0000000..6433cae
--- /dev/null
+++ b/appsets/external-secrets.yaml
@@ -0,0 +1,103 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: universal-external-secrets
+spec:
+  generators:
+    - list:
+        elements:
+          - cluster: cherry
+            url: https://kubernetes.default.svc
+  syncPolicy:
+    applicationsSync: sync
+  template:
+    metadata:
+      name: "{{cluster}}-external-secrets"
+    spec:
+      project: infrastructure
+      syncPolicy:
+        automated:
+          prune: true
+          selfHeal: true
+        syncOptions:
+          - CreateNamespace=true
+      source:
+        chart: external-secrets
+        repoURL: https://charts.external-secrets.io
+        targetRevision: 0.9.5
+        helm:
+          releaseName: external-secrets
+          valuesObject:
+            installCRDs: true
+            # Operator
+            replicaCount: 2
+            leaderElect: true
+            podDisruptionBudget:
+              enabled: true
+              minAvailable: 1
+            resources:
+              limits:
+                cpu: 60m
+                memory: 128Mi
+              requests:
+                cpu: 10m
+                memory: 32Mi
+            affinity:
+              podAntiAffinity:
+                requiredDuringSchedulingIgnoredDuringExecution:
+                  - labelSelector:
+                      matchExpressions:
+                        - key: app.kubernetes.io/name
+                          operator: In
+                          values:
+                            - external-secrets
+                    topologyKey: kubernetes.io/hostname
+            # Webhook
+            webhook:
+              replicaCount: 2
+              podDisruptionBudget:
+                enabled: true
+                minAvailable: 1
+              resources:
+                limits:
+                  cpu: 60m
+                  memory: 128Mi
+                requests:
+                  cpu: 10m
+                  memory: 32Mi
+              affinity:
+                podAntiAffinity:
+                  requiredDuringSchedulingIgnoredDuringExecution:
+                    - labelSelector:
+                        matchExpressions:
+                          - key: app.kubernetes.io/name
+                            operator: In
+                            values:
+                              - external-secrets-webhook
+                      topologyKey: kubernetes.io/hostname
+            # Cert Controller
+            certController:
+              replicaCount: 2
+              podDisruptionBudget:
+                enabled: true
+                minAvailable: 1
+              resources:
+                limits:
+                  cpu: 60m
+                  memory: 128Mi
+                requests:
+                  cpu: 10m
+                  memory: 32Mi
+              affinity:
+                podAntiAffinity:
+                  requiredDuringSchedulingIgnoredDuringExecution:
+                    - labelSelector:
+                        matchExpressions:
+                          - key: app.kubernetes.io/name
+                            operator: In
+                            values:
+                              - external-secrets-cert-controller
+                      topologyKey: kubernetes.io/hostname
+      destination:
+        server: "{{url}}"
+        namespace: external-secrets