The client is an IT company specializing in solutions for agriculture. The company's main directions are related to the development of autonomous agricultural systems, topographic surveying of terrain with drones, and analysis of vegetation condition based on the images obtained.

Client's Main Requests: Implement a centralized secret storage within the company. The company started actively working with external contractors, which necessitated a radical review of approaches to the security of tokens, passwords, and other sensitive data. Integrate centralized secret storage with Gitlab CICD and several key systems in self-hosted Kubernetes, including JupiterHub.

After discussing with the client, conducting a full audit of its infrastructure and the peculiarities of working with secrets, we settled on Hashicorp Vault as the most suitable solution.

We deployed Hashicorp Vault in the community edition as two independent clusters with indirect replication between them, creating production and test zones. The next key challenge in the task was not so much the physical implementation of the solution but the integration into typical business processes, creating access matrices, typical roles, and ensuring the migration of teams from disparate tools to a unified Vault.

As required by the Information Security department, we ensured a blocking mode for recording all API request logs to Vault. For this, we integrated the system with an existing cluster based on the ELK stack.

The delivery of secrets to pods was organized using Vault Agent Injector, which ensured several things: A strictly defined set of secrets injected into the working environment, including JupiterNotebook, used by external contractors. Complete logging of all requests to secrets Automatic rotation of secrets in databases and third-party information systems through the use of Vault's built-in mechanisms.

As a result of our work, the client received a centralized, transparent secret storage that significantly reduced the risks of accidental leaks of passwords, tokens, and other sensitive data due to random commits in the code or unauthorized access.