← Current Platform / operations

Secrets authority

Vault

A central authority for sensitive configuration that keeps credentials out of repositories and workload definitions.

VaultExternal SecretsKubernetes authPolicy

01 / Why it exists

Declarative delivery is only safe when secrets have a lifecycle separate from Git.

02 / Architecture

Vault owns secret material; External Secrets projects narrowly scoped values into Kubernetes workloads. Authentication and policy define which workload may read what.

03 / Lessons

What operation taught me.

  1. 01Secret distribution is an identity problem before it is a storage problem.
  2. 02Rotation has to be designed into consumers, not added at the authority.

Screenshots

Operational captures will be added when they can be safely published.

Source / Config

Public configuration will appear here when the boundary is ready.

Related material

This field note is the first public documentation for this component.