Secrets Management (Vault, Kubernetes, Terraform, Docker, Go) overview

A centralized secrets management platform built around HashiCorp Vault for dynamic secret generation, encryption-as-a-service, and PKI certificate issuance. Kubernetes workloads consume secrets via the Vault Agent sidecar injector, eliminating plaintext secrets in environment variables or ConfigMaps. Terraform provisions Vault policies, auth backends, and secret engines as code. Custom Go tooling provides CLI wrappers for developer self-service secret rotation. Deployed in Docker containers with HA storage backends. The tradeoff is Vault's operational complexity — unsealing, audit log management, and upgrade procedures require dedicated platform engineering attention.