All posts
8 posts · Secrets
Vault Kubernetes auth: secrets without static tokensLet pods authenticate to Vault with their service account token and get short-lived secrets — no bootstrap secret to leak.Jun 9, 2026 · 12 minAdvancedvaultkubernetesDynamic database credentials for Jenkins with VaultStop pasting Postgres passwords into Jenkins credentials. Vault mints a fresh user per build and revokes it when the job ends.Mar 24, 2026 · 11 minIntermediatevaultjenkinsEncrypt secrets in Git with SOPS and ageKeep encrypted secrets safely in your repo, decrypt them in CI, and never commit a plaintext credential again.Mar 3, 2026 · 8 minIntermediatesopsageShort-lived TLS certificates from Vault PKIRun an internal CA in Vault and issue certs that live for hours, not years — rotation becomes a non-event.Nov 4, 2025 · 11 minAdvancedvaultpkiAnsible Vault vs HashiCorp Vault: which secret goes whereOne encrypts files in your repo, the other serves secrets at runtime. Most teams need both — here is the split that works.Sep 23, 2025 · 7 minBeginneransiblevaultExternal Secrets Operator: sync Vault into KubernetesKeep the source of truth in Vault and let the operator materialize Kubernetes Secrets your pods can mount.Jul 29, 2025 · 9 minIntermediatekubernetesvaultAutomating secret rotation without downtimeRotate database and API credentials on a schedule using overlapping versions so nothing breaks mid-rotation.May 6, 2025 · 10 minAdvancedsecretsrotationCatch secrets before commit with gitleaks and pre-commitBlock credentials at the git hook, scan history for what already leaked, and wire the same check into CI.Feb 25, 2025 · 6 minBeginnergitleakspre-commit