diff --git a/vault/external-secret.yaml b/vault/external-secret.yaml
new file mode 100644
index 0000000..eb2d020
--- /dev/null
+++ b/vault/external-secret.yaml
@@ -0,0 +1,18 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: vault-config
+  namespace: vault
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: vault-backend
+    kind: ClusterSecretStore
+  target:
+    name: vault-config-secret
+    creationPolicy: Owner
+  data:
+    - secretKey: extraconfig-from-values.hcl
+      remoteRef:
+        key: secret/data/vault/config
+        property: extraconfig-from-values.hcl
diff --git a/vault/helm-values.yaml b/vault/helm-values.yaml
index e03e6da..e89b1c4 100644
--- a/vault/helm-values.yaml
+++ b/vault/helm-values.yaml
@@ -12,27 +12,34 @@ server:
   dev:
     enabled: false
 
-  # Standalone mode with file storage
+  # Standalone 비활성화 (HA 사용)
   standalone:
+    enabled: false
+
+  # HA 설정 - PostgreSQL storage (config from External Secret)
+  ha:
     enabled: true
-    config: |
-      ui = true
+    replicas: 3
+    raft:
+      enabled: false
 
-      listener "tcp" {
-        tls_disable = 1
-        address = "[::]:8200"
-        cluster_address = "[::]:8201"
-      }
+  # PVC 비활성화 (PostgreSQL 사용)
+  dataStorage:
+    enabled: false
 
-      storage "file" {
-        path = "/vault/data"
-      }
+  # Config from External Secret
+  volumes:
+    - name: vault-config-secret
+      secret:
+        secretName: vault-config-secret
 
-      # Prometheus metrics
-      telemetry {
-        prometheus_retention_time = "30s"
-        disable_hostname = true
-      }
+  volumeMounts:
+    - name: vault-config-secret
+      mountPath: /vault/userconfig
+      readOnly: true
+
+  # Extra args to use config from secret
+  extraArgs: "-config=/vault/userconfig/extraconfig-from-values.hcl"
 
   # 리소스 제한
   resources:
@@ -57,10 +64,6 @@ server:
         hosts:
           - vault0213.kro.kr
 
-  # HA 비활성화 (단일 인스턴스)
-  ha:
-    enabled: false
-
   # 서비스 타입
   service:
     enabled: true
diff --git a/vault/kustomization.yaml b/vault/kustomization.yaml
index cdec870..0580506 100644
--- a/vault/kustomization.yaml
+++ b/vault/kustomization.yaml
@@ -2,3 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - cluster-secret-store.yaml
+- external-secret.yaml
+- rbac.yaml
diff --git a/vault/rbac.yaml b/vault/rbac.yaml
new file mode 100644
index 0000000..72395c4
--- /dev/null
+++ b/vault/rbac.yaml
@@ -0,0 +1,24 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system:auth-delegator
+rules:
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
+  - apiGroups: ["authorization.k8s.io"]
+    resources: ["subjectaccessreviews"]
+    verbs: ["create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: vault-token-reviewer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+  - kind: ServiceAccount
+    name: vault
+    namespace: vault