diff --git a/Chart.yaml b/Chart.yaml
index d619d70..de3c2da 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -2,5 +2,5 @@ apiVersion: v2
 name: edge-gitops-vms
 description: Edge GitOps VMs
 type: application
-version: 0.3.5
+version: 0.4.0
 dependencies: [ ]
diff --git a/README.md b/README.md
index 6765c4e..c2dca5d 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 # edge-gitops-vms
 
-![Version: 0.3.5](https://img.shields.io/badge/Version-0.3.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 Edge GitOps VMs
 
@@ -8,6 +8,7 @@ This chart is used to set up Edge GitOps VMs in conjunction with OpenShift Virtu
 
 ### Notable changes
 
+* v0.4.0: Parameterize ESO API version and default it to v1
 * v0.3.5: Several fixes to separate DataSources from VM namespace
 * v0.3.4: Correct order of coalesce arguments for main disk storage bus
 * v0.3.3: Allow configuraton of main disk storage bus. Default to virtio but Windows benefits from sata
@@ -20,7 +21,7 @@ This chart is used to set up Edge GitOps VMs in conjunction with OpenShift Virtu
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| disableExternalSecrets | bool | `true` |  |
+| disableExternalSecrets | bool | `false` |  |
 | externalDataSources | object | `{}` |  |
 | global.clusterDomain | string | `"example.com"` |  |
 | global.pattern | string | `"ansible-edge-gitops"` |  |
@@ -45,6 +46,7 @@ This chart is used to set up Edge GitOps VMs in conjunction with OpenShift Virtu
 | rbac.roles[0].verbs[1] | string | `"list"` |  |
 | rbac.roles[0].verbs[2] | string | `"watch"` |  |
 | registryCredentialExternalSecrets | object | `{}` |  |
+| secretStore.esoApiVersion | string | `"external-secrets.io/v1"` |  |
 | secretStore.kind | string | `"ClusterSecretStore"` |  |
 | secretStore.name | string | `"vault-backend"` |  |
 | serviceAccountName | string | `"ansible-edge-gitops-sa"` |  |
diff --git a/README.md.gotmpl b/README.md.gotmpl
index ee08425..17bea3a 100644
--- a/README.md.gotmpl
+++ b/README.md.gotmpl
@@ -9,6 +9,7 @@ This chart is used to set up Edge GitOps VMs in conjunction with OpenShift Virtu
 
 ### Notable changes
 
+* v0.4.0: Parameterize ESO API version and default it to v1
 * v0.3.5: Several fixes to separate DataSources from VM namespace
 * v0.3.4: Correct order of coalesce arguments for main disk storage bus
 * v0.3.3: Allow configuraton of main disk storage bus. Default to virtio but Windows benefits from sata
diff --git a/templates/registry-credential-ExternalSecrets.yaml b/templates/registry-credential-ExternalSecrets.yaml
index f082c3a..a5afb6b 100644
--- a/templates/registry-credential-ExternalSecrets.yaml
+++ b/templates/registry-credential-ExternalSecrets.yaml
@@ -2,7 +2,7 @@
 {{- range $esk,$esv := .Values.registryCredentialExternalSecrets }}
 {{- $name := coalesce $esv.name $esk }}
 ---
-apiVersion: "external-secrets.io/v1beta1"
+apiVersion: {{ $.Values.secretStore.esoApiVersion }}
 kind: ExternalSecret
 metadata:
   name: es-registry-creds-{{ $name }}
diff --git a/templates/virtual-machines.yaml b/templates/virtual-machines.yaml
index 9432d16..0b08cd5 100644
--- a/templates/virtual-machines.yaml
+++ b/templates/virtual-machines.yaml
@@ -4,7 +4,7 @@
 {{- $role := coalesce $vmr.role $def.role }}
 {{- if not $.Values.disableExternalSecrets }}
 ---
-apiVersion: "external-secrets.io/v1beta1"
+apiVersion: {{ $.Values.secretStore.esoApiVersion }}
 kind: ExternalSecret
 metadata:
   name: es-cloudinit-{{ $role }}
@@ -18,7 +18,7 @@ metadata:
     {{- end }}
   {{- end }}
 spec:
-  refreshInterval: 90s
+  refreshInterval: 1m30s
   secretStoreRef:
     name: {{ $.Values.secretStore.name }}
     kind: {{ $.Values.secretStore.kind }}
@@ -34,7 +34,7 @@ spec:
 {{- $identifier := printf "%s-%s-%s" (coalesce $vmr.os $def.os) $role $idx }}
 {{- if not $.Values.disableExternalSecrets }}
 ---
-apiVersion: "external-secrets.io/v1beta1"
+apiVersion: {{ $.Values.secretStore.esoApiVersion }}
 kind: ExternalSecret
 metadata:
   name: es-authorizedsshkeys-{{ $identifier }}
@@ -48,7 +48,7 @@ metadata:
     {{- end }}
   {{- end }}
 spec:
-  refreshInterval: 90s
+  refreshInterval: 1m30s
   secretStoreRef:
     name: {{ $.Values.secretStore.name }}
     kind: {{ $.Values.secretStore.kind }}
diff --git a/values.yaml b/values.yaml
index 4761145..0a95bfa 100644
--- a/values.yaml
+++ b/values.yaml
@@ -4,6 +4,7 @@ global:
   clusterDomain: example.com
 
 secretStore:
+  esoApiVersion: external-secrets.io/v1
   name: vault-backend
   kind: ClusterSecretStore
 
@@ -93,7 +94,7 @@ externalDataSources: {}
 # CloudInit configuration. If registry credentials are specified in
 # registryCredentialExternalSecrets then they will be fetched using an
 # ExternalSecret regardless of what this field is set to
-disableExternalSecrets: true
+disableExternalSecrets: false
 
 serviceAccountName: ansible-edge-gitops-sa
 rbac: