diff --git a/deployments/tailscale/operator/external-secret.yaml b/deployments/tailscale/operator/external-secret.yaml
new file mode 100644
index 0000000..2268e10
--- /dev/null
+++ b/deployments/tailscale/operator/external-secret.yaml
@@ -0,0 +1,22 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: tailscale-operator-secret
+  namespace: tailscale
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: orion-vault
+    kind: ClusterSecretStore
+  target:
+    name: tailscale-operator-secret
+    creationPolicy: Owner
+  data:
+    - secretKey: client-id
+      remoteRef:
+        key: tailscale/operator
+        property: CLIENT_ID_FILE
+    - secretKey: client-secret
+      remoteRef:
+        key: tailscale/operator
+        property: CLIENT_SECRET_FILE