diff --git a/tests/golang_external_secrets_default_test.yaml b/tests/golang_external_secrets_default_test.yaml
index 3a3beeb..c2cf7c6 100644
--- a/tests/golang_external_secrets_default_test.yaml
+++ b/tests/golang_external_secrets_default_test.yaml
@@ -4,7 +4,30 @@ templates:
 release:
   name: release-test
 tests:
-  - it: Should output default values
+  - it: Should output default values for the secret
     asserts:
-      - hasDocuments:
-          count: 2
+      - containsDocument:
+          kind: Secret
+          apiVersion: v1
+          name: golang-external-secrets
+          namespace: golang-external-secrets
+        documentSelector:
+          path: kind
+          value: Secret
+      - equal:
+          path: metadata.annotations["kubernetes.io/service-account.name"]
+          value: golang-external-secrets
+        documentSelector:
+          path: kind
+          value: Secret
+
+  - it: Should output default values for the clusterrolebinding
+    asserts:
+      - containsDocument:
+          kind: ClusterRoleBinding
+          apiVersion: rbac.authorization.k8s.io/v1
+          name: role-tokenreview-binding
+          namespace: golang-external-secrets
+        documentSelector:
+          path: kind
+          value: ClusterRoleBinding
diff --git a/tests/golang_external_secrets_secretstore_test.yaml b/tests/golang_external_secrets_secretstore_test.yaml
new file mode 100644
index 0000000..be951df
--- /dev/null
+++ b/tests/golang_external_secrets_secretstore_test.yaml
@@ -0,0 +1,151 @@
+suite: Test golang-external-secrets cluster secret store
+templates:
+  - templates/vault/golang-external-secrets-hub-secretstore.yaml
+release:
+  name: release-test
+tests:
+  - it: should output nothing if .Value.global.secretStore is not "vault"
+    set:
+      global:
+        secretStore:
+          backend: "kubernetes"
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: should output things if the backend is not set (we assume vault as a default)
+    set:
+      global:
+        secretStore:
+          backend: null
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: ClusterSecretStore
+          apiVersion: external-secrets.io/v1beta1
+          name: vault-backend
+          namespace: golang-external-secrets
+
+  - it: should output things if the backend is set to vault
+    set:
+      global:
+        secretStore:
+          backend: "vault"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: ClusterSecretStore
+          apiVersion: external-secrets.io/v1beta1
+          name: vault-backend
+          namespace: golang-external-secrets
+
+  - it: should set the vault server to the hubClusterDomain
+    set:
+      global:
+        hubClusterDomain: foo.bar.baz
+    asserts:
+      - equal:
+          path: spec.provider.vault.server
+          value: "https://vault-vault.foo.bar.baz"
+
+  - it: should set secretRef
+    asserts:
+      - equal:
+          path: spec.provider.vault.auth.kubernetes.secretRef.name
+          value: golang-external-secrets
+      - equal:
+          path: spec.provider.vault.auth.kubernetes.secretRef.namespace
+          value: golang-external-secrets
+      - equal:
+          path: spec.provider.vault.auth.kubernetes.secretRef.key
+          value: token
+
+  - it: should not set the caProvider when disabled
+    set:
+      golangExternalSecrets:
+        caProvider:
+          enabled: false
+    asserts:
+      - notExists:
+          path: spec.provider.vault.caProvider
+
+  - it: should set the caProvider to the hostCluster when on the hub
+    set:
+      clusterGroup:
+        isHubCluster: true
+      golangExternalSecrets:
+        caProvider:
+          hostCluster:
+            name: foo-bar-configmap
+            key: foo-key
+            namespace: foo
+    asserts:
+      - equal:
+          path: spec.provider.vault.caProvider.type
+          value: ConfigMap
+      - equal:
+          path: spec.provider.vault.caProvider.name
+          value: foo-bar-configmap
+      - equal:
+          path: spec.provider.vault.caProvider.key
+          value: foo-key
+      - equal:
+          path: spec.provider.vault.caProvider.namespace
+          value: foo
+
+  - it: should set the caProvider to the clientCluster when not on the hub
+    set:
+      clusterGroup:
+        isHubCluster: false
+      golangExternalSecrets:
+        caProvider:
+          clientCluster:
+            name: foo-bar-configmap
+            key: foo-key
+            namespace: foo
+    asserts:
+      - equal:
+          path: spec.provider.vault.caProvider.type
+          value: Secret
+      - equal:
+          path: spec.provider.vault.caProvider.name
+          value: foo-bar-configmap
+      - equal:
+          path: spec.provider.vault.caProvider.key
+          value: foo-key
+      - equal:
+          path: spec.provider.vault.caProvider.namespace
+          value: foo
+
+  - it: should set the kubernetes auth when on the hub
+    set:
+      clusterGroup:
+        isHubCluster: true
+      golangExternalSecrets:
+        rbac:
+          rolename: "hub-rolename"
+        vault:
+          mountPath: "hub-mount"
+    asserts:
+      - equal:
+          path: spec.provider.vault.auth.kubernetes.mountPath
+          value: hub-mount
+      - equal:
+          path: spec.provider.vault.auth.kubernetes.role
+          value: hub-rolename
+
+  - it: should set the kubernetes auth when not on the hub
+    set:
+      global:
+        clusterDomain: foo.bar
+      clusterGroup:
+        isHubCluster: false
+    asserts:
+      - equal:
+          path: spec.provider.vault.auth.kubernetes.mountPath
+          value: foo.bar
+      - equal:
+          path: spec.provider.vault.auth.kubernetes.role
+          value: foo.bar-role