diff --git a/.github/workflows/call-argocd-bootstrap.yaml b/.github/workflows/call-argocd-bootstrap.yaml
index deed9a9..6ecfd98 100644
--- a/.github/workflows/call-argocd-bootstrap.yaml
+++ b/.github/workflows/call-argocd-bootstrap.yaml
@@ -196,7 +196,7 @@ on:
         description: "Version of stuttgart-things/blueprints/argocd"
         required: false
         type: string
-        default: v2.3.1
+        default: v2.4.0
       sops-module-version:
         description: "Version of stuttgart-things/dagger/sops (for kubeconfig decrypt step)"
         required: false
diff --git a/.github/workflows/call-create-vault-issuer.yaml b/.github/workflows/call-create-vault-issuer.yaml
index 2d0818c..9fab689 100644
--- a/.github/workflows/call-create-vault-issuer.yaml
+++ b/.github/workflows/call-create-vault-issuer.yaml
@@ -77,7 +77,7 @@ on:
         description: "Version of stuttgart-things/blueprints/argocd"
         required: false
         type: string
-        default: v2.3.1
+        default: v2.4.0
 
 permissions:
   contents: read
diff --git a/.github/workflows/call-create-vault-k8s-auth.yaml b/.github/workflows/call-create-vault-k8s-auth.yaml
new file mode 100644
index 0000000..75f492f
--- /dev/null
+++ b/.github/workflows/call-create-vault-k8s-auth.yaml
@@ -0,0 +1,107 @@
+---
+name: Create Vault Kubernetes Auth backend (for ESO) with Dagger
+on:
+  workflow_call:
+    inputs:
+      # --- Source / checkout ---
+      source-repo:
+        description: "Repository containing the SOPS-encrypted kubeconfig + vault env file (owner/repo)"
+        required: true
+        type: string
+      branch-name:
+        description: "Git branch to checkout"
+        required: false
+        type: string
+        default: main
+
+      # --- Required ---
+      cluster-name:
+        description: "Target cluster name (prefixes the Vault auth backend path: <cluster-name>-<auth-name>)"
+        required: true
+        type: string
+      kubeconfig-source-file:
+        description: "Path to SOPS-encrypted kubeconfig of the target cluster (relative to source-repo)"
+        required: true
+        type: string
+      vault-env-file:
+        description: "Path to SOPS-encrypted Vault env yaml (vaultAddr / vaultToken / vaultSkipVerify)"
+        required: true
+        type: string
+
+      # --- Optional knobs (defaults match the Dagger function) ---
+      auth-name:
+        description: "Auth backend + role name; also used as SA / SA-token Secret / CRB name on the cluster"
+        required: false
+        type: string
+        default: "eso"
+      namespace:
+        description: "Namespace on the target cluster for the SA + SA-token Secret"
+        required: false
+        type: string
+        default: "external-secrets"
+      token-policies:
+        description: "Comma-separated Vault policies to bind to the role (must pre-exist in Vault)"
+        required: false
+        type: string
+        default: "read-homerun2-pr"
+      token-ttl:
+        description: "TTL (seconds) for tokens minted via this role"
+        required: false
+        type: string
+        default: "3600"
+
+      # --- Runtime / versions ---
+      runs-on:
+        required: false
+        type: string
+        default: dagger-labda
+      environment-name:
+        required: false
+        type: string
+        default: k8s
+      dagger-version:
+        required: false
+        type: string
+        default: "0.20.8"
+      argocd-module-version:
+        description: "Version of stuttgart-things/blueprints/argocd"
+        required: false
+        type: string
+        default: v2.4.0
+
+permissions:
+  contents: read
+
+jobs:
+  Create-Vault-K8s-Auth:
+    name: Create Vault Kubernetes Auth Backend
+    runs-on: ${{ inputs.runs-on }}
+    environment: ${{ inputs.environment-name }}
+    steps:
+      - name: Checkout source repo
+        uses: actions/checkout@v6.0.2
+        with:
+          repository: ${{ inputs.source-repo }}
+          token: ${{ secrets.GH_TOKEN }}
+          ref: ${{ inputs.branch-name }}
+
+      - name: Run create-vault-k8s-auth
+        uses: dagger/dagger-for-github@v8.4.1
+        env:
+          SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
+        with:
+          version: ${{ inputs.dagger-version }}
+          verb: call
+          module: github.com/stuttgart-things/blueprints/argocd@${{ inputs.argocd-module-version }}
+          args: >-
+            create-vault-k8s-auth
+            --cluster-name ${{ inputs.cluster-name }}
+            --kubeconfig-source-file ${{ inputs.kubeconfig-source-file }}
+            --vault-env-file ${{ inputs.vault-env-file }}
+            --sops-key env:SOPS_AGE_KEY
+            --auth-name ${{ inputs.auth-name }}
+            --namespace ${{ inputs.namespace }}
+            --token-policies ${{ inputs.token-policies }}
+            --token-ttl ${{ inputs.token-ttl }}
+            --cache-buster ${{ github.run_id }}-${{ github.run_attempt }}
+          cloud-token: ${{ secrets.DAGGER_CLOUD_TOKEN }}