Vault & Secrets Management

What problem does it solve?

This Skill provides HashiCorp Vault and External Secrets Operator (ESO) best practices, ensuring secure, automated secrets management in Kubernetes. It guides users through Vault's lifecycle, preventing common security missteps and simplifying secret rotation.

Core Features & Use Cases

• Vault Lifecycle Management: Guides on initializing Vault (make vault-init) and unsealing it after restarts (make vault-unseal).
• External Secrets Operator Integration: Explains how ESO automates Kubernetes Secret creation directly from Vault, eliminating manual secret handling.
• Security Best Practices: Emphasizes never committing Vault keys to Git and using environment variables or ESO for secrets in code.
• Use Case: A developer needs to add a new API key to an application. This skill guides them to store it securely in Vault, define an ExternalSecret Custom Resource, and ensures the secret is automatically provisioned to Kubernetes, avoiding hardcoding and manual secret management.

Quick Start

Initialize Vault (run once for a new instance)

make vault-init

Unseal Vault (required after pod restarts)

make vault-unseal

Example ExternalSecret to sync a secret from Vault to Kubernetes

apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: app-secrets spec: refreshInterval: 1h secretStoreRef: name: vault-backend kind: SecretStore target: name: app-secrets creationPolicy: Owner data: - secretKey: api-key remoteRef: key: secret/data/app property: api_key