Week 15: Secrets Management — HashiCorp Vault
Theme: Securely manage secrets with Vault: dynamic secrets, encryption, rotation.
Learning Objectives
- Install and initialize HashiCorp Vault (dev mode, then HA)
- Configure secret engines: KV v2, database dynamic secrets
- Authenticate applications via Kubernetes auth method
- Implement secret rotation and auditing
Reading Materials
- Vault Introduction
- Vault Getting Started
- Vault Secret Engines
- Vault Kubernetes Auth
- Vault Database Dynamic Secrets
- Vault Agent Sidecar Injector
- Bank Vault (open-source Vault operator)
Finger Exercises (choose 2)
- Install Vault dev mode. Enable KV v2 secrets engine. Write/read secrets using CLI and HTTP API.
- Enable database dynamic secrets for PostgreSQL. Configure a role that creates 1-hour credentials.
- Enable Kubernetes auth. Configure a role that maps a K8s ServiceAccount to a Vault policy.
Project
- Deploy Vault to the K8s cluster (HA mode with Raft storage backend)
- Configure:
- KV v2: static secrets (API keys, certificates)
- Database dynamic secrets: PostgreSQL and Redis credentials, TTL 24h, auto-rotation
- Integrate with the Go app:
- Use Vault Agent sidecar to inject secrets
- The Go app reads secrets from a shared volume (not environment variables)
- Demonstrate credential rotation: revoke a database secret, the app gets new credentials on next request
- Set up audit logging: all Vault API calls logged to a file + Loki
- Create a Vault policy for each app:
go-app-policy: readkv/go-app/*,database/creds/go-apppython-worker-policy: readkv/python-worker/*,database/creds/python-workeradmin-policy: full access
Time Budget
| Activity | Time |
|---|---|
| Reading | 1.5 hrs |
| Finger exercises | 2 hrs |
| Project | 2.5 hrs |
| Total | 6 hrs |