Kde bezpečně uložit databázová hesla, API klíče a certifikáty? Ne v kódu, ne v .env, ne v Confluence.

HashiCorp Vault¶

vault kv put secret/myapp db_password=”tajne” api_key=”sk_123” vault kv get -field=db_password secret/myapp

Python¶

import hvac client = hvac.Client(url=’https://vault:8200’, token=os.environ[‘VAULT_TOKEN’]) secret = client.secrets.kv.v2.read_secret_version(path=’myapp’)

Mozilla SOPS¶

sops –encrypt –age age1… config.yaml > config.enc.yaml sops –decrypt config.enc.yaml > config.yaml sops config.enc.yaml # Editace in-place

Kubernetes — External Secrets Operator¶

apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: myapp-secrets spec: refreshInterval: 1h secretStoreRef: name: vault-backend data: - secretKey: DB_PASSWORD remoteRef: key: secret/myapp property: db_password

Klíčový takeaway¶

Vault pro enterprise, SOPS pro menší týmy. Secrets nikdy v Gitu plaintext, vždy auditovatelné, vždy rotovatelné.