No More Hardcoded Secrets

I don’t want:

  • app containers with static DB passwords baked in,
  • environment variables full of long-lived credentials,
  • or “secret.yaml” files committed by accident.

My goal is:

  • short-lived secrets,
  • delivered via Vault Agents,
  • rendered into files through templates or mounted as volumes.

The Pattern I’m Aiming For

Per app or service:

  1. A Vault Agent runs as a sidecar or companion container.
  2. It authenticates to Vault (e.g. via mTLS and a constrained role).
  3. It fetches secrets and renders them into files using templates.
  4. The main app container reads these files at startup or on reload.

So instead of:

DB_PASSWORD=my-super-secret

in environment variables, I want:

/app/secrets/db_password

generated by Vault Agent, valid for a limited time.

Why This Fits My VPS

Even on a single VPS:

  • I can run agents per service user (appuser, proxy*, etc.).
  • Agents talk to Vault with mTLS and scoped policies.
  • I get closer to the patterns used in larger infrastructures, while still keeping it small and understandable.