HashiCorp Vault |https://example.com/tags/hashicorp-vault/HashiCorp VaultHugoBlox Kit (https://hugoblox.com)en-usSat, 16 May 2026 00:00:00 +0000https://example.com/media/icon_hu_da05098ef60dc2e7.pngHashiCorp Vaulthttps://example.com/tags/hashicorp-vault/Stage II: CI/CD Pipeline, GitOps & Ephemeral Secretshttps://example.com/blog/stage-2-automation-zero-trust/Sat, 16 May 2026 00:00:00 +0000https://example.com/blog/stage-2-automation-zero-trust/<p>With a highly available K3s foundation established on my KVM environment in Stage I, the cluster was functional but not yet &ldquo;enterprise-grade.&rdquo; Manually applying manifests leads to configuration drift, and standard Kubernetes Secrets violate zero-trust security principles.</p> <p>This post covers <strong>Stage II</strong> of the roadmap: establishing a strict CI/CD GitOps pipeline and securing the cluster&rsquo;s sensitive credentials for my stateful workloads (specifically my n8n workflow engine and PostgreSQL database).</p> <h2 id="table-of-contents">Table of Contents</h2> <ol> <li> </li> <li> </li> <li> </li> <li> </li> <li> </li> <li> </li> </ol> <h2 id="github-actions">1. Continuous Integration with GitHub Actions</h2> <p>Before deployment can happen, the code must be built into an immutable artifact. I utilized <strong>GitHub Actions</strong> to automatically build my application code into Docker images and push them to the container registry on every main branch commit. This ensures that if a deployment breaks, I can instantly roll back to a previously tagged, working image.</p> <p>Here is a view of the automated pipeline successfully building and pushing the containerized application upon a new commit:</p> <p> <figure > <div class="flex justify-center "> <div class="w-full" > <img alt="GitHub Actions CI Pipeline Success" srcset="https://example.com/blog/stage-2-automation-zero-trust/github-action_hu_6946e54d37ded239.webp 320w, https://example.com/blog/stage-2-automation-zero-trust/github-action_hu_aaa7ff0cdc704c77.webp 480w, https://example.com/blog/stage-2-automation-zero-trust/github-action_hu_258ec8fe3ef742a2.webp 760w" sizes="(max-width: 480px) 100vw, (max-width: 768px) 90vw, (max-width: 1024px) 80vw, 760px" src="https://example.com/blog/stage-2-automation-zero-trust/github-action_hu_6946e54d37ded239.webp" width="760" height="453" loading="lazy" data-zoomable /></div> </div></figure> </p> <h2 id="argocd">2. The GitOps Philosophy: ArgoCD &amp; Helm</h2> <p>The core rule of GitOps is simple: <strong>The Git repository is the single source of truth.</strong> I deployed <strong>ArgoCD</strong> to operate as a continuous reconciliation loop, tracking my GitHub repository. Rather than syncing raw YAML, ArgoCD dynamically renders my deployments using <strong>Helm</strong> and <strong>Kustomize</strong> before applying them to the K3s cluster.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">argoproj.io/v1alpha1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Application</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">whatsapp-bot-sync</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">argocd</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">project</span><span class="p">:</span><span class="w"> </span><span class="l">default</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">source</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">repoURL</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;https://github.com/danack10/k3s-whatsapp-chatbot.git&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">targetRevision</span><span class="p">:</span><span class="w"> </span><span class="l">HEAD</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l">apps/whatsapp-bot/base</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">destination</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">server</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;https://kubernetes.default.svc&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">whatsapp-bot</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">syncPolicy</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">automated</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">prune</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">selfHeal</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">syncOptions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">CreateNamespace=True</span><span class="w"> </span></span></span></code></pre></div><p>Once applied, the GitOps synchronization kicks in. The following dashboard view shows ArgoCD mapping and deploying the entire application stack:</p> <p> <figure > <div class="flex justify-center "> <div class="w-full" > <img alt="ArgoCD Application Sync Spiderweb" srcset="https://example.com/blog/stage-2-automation-zero-trust/argocd-tree_hu_6caeb52c84f0dc87.webp 320w, https://example.com/blog/stage-2-automation-zero-trust/argocd-tree_hu_4678e766810a09bc.webp 480w, https://example.com/blog/stage-2-automation-zero-trust/argocd-tree_hu_e9fa480fd7716cc8.webp 760w" sizes="(max-width: 480px) 100vw, (max-width: 768px) 90vw, (max-width: 1024px) 80vw, 760px" src="https://example.com/blog/stage-2-automation-zero-trust/argocd-tree_hu_6caeb52c84f0dc87.webp" width="760" height="492" loading="lazy" data-zoomable /></div> </div></figure> </p> <p><strong>The Challenge:</strong> Setting up secure authentication for ArgoCD to pull from my private repository was tricky. I wanted to use a dynamic GitHub App rather than a static Personal Access Token (PAT). Ensuring the GitHub App had the correct permissions scoped strictly to the <code>k3s-whatsapp-chatbot</code> repo took some trial and error. Additionally, before my edge ingress was fully established, I had to utilize <code>kubectl port-forward</code> routed entirely through my Tailscale mesh to access the ArgoCD UI, keeping the interface completely hidden from the public internet.</p> <h2 id="secrets-problem">3. The Problem with K8s Secrets</h2> <p>Deploying standard applications via GitOps is straightforward, but deploying secrets presents a major security flaw. You cannot push raw or base64-encoded secrets into a Git repository.</p> <p>To solve this, I deployed <strong>HashiCorp Vault</strong> as the centralized, encrypted credential store inside the cluster.</p> <h2 id="vault">4. Declarative Security with Vault &amp; OpenTofu</h2> <p>Many engineers deploy Vault and then manually configure it using CLI commands (<code>vault write auth/kubernetes...</code>). To maintain my declarative infrastructure standards, I bypassed the CLI entirely and used the <strong>OpenTofu Vault Provider</strong> to configure Vault&rsquo;s state as code. This allowed me to declaratively define my Kubernetes authentication roles, policies, and secret engines.</p> <p><strong>The Challenge:</strong> Learning to manage persistent state in Kubernetes was a huge learning curve. Stateful workloads like Vault, n8n, and PostgreSQL require robust Persistent Volume Claims (PVCs). At one point, my <code>vault-0</code> pod entered a failure state. The &ldquo;junior developer&rdquo; instinct is to simply delete the PVC, tear the Vault down, and rebuild it from scratch. However, in an enterprise environment with thousands of production secrets, deleting the database is catastrophic! Instead of wiping it, I architected a proper recovery process: safely restarting the pod, maintaining the PVC integrity, and gracefully unsealing the vault using my Shamir key shares.</p> <h2 id="eso">5. Bridging the Gap: External Secrets Operator (ESO)</h2> <p>While Vault securely stores the credentials, my stateful workloads (n8n and Postgres) still need a way to read them without hardcoding Vault API logic into the application containers.</p> <p>I implemented the <strong>External Secrets Operator (ESO)</strong> to act as an automated courier. It authenticates with Vault, reads the secure payload, and dynamically injects it into a standard native Kubernetes Secret.</p> <p>Here we define two distinct <code>ExternalSecret</code> manifests in a single multi-document YAML file. The first manifest pulls static database credentials, while the second pulls an ephemeral GitHub token:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># 1. Manifest for static n8n database credentials</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">external-secrets.io/v1beta1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ExternalSecret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">n8n-creds-sync</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">whatsapp-bot</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1h&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">secretStoreRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">vault-backend-global</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterSecretStore</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">target</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">bot-secrets</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l">DB_POSTGRESDB_USER</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">n8n/config</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l">POSTGRES_USER</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l">DB_POSTGRESDB_PASSWORD</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">n8n/config</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l">POSTGRES_PASSWORD</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l">N8N_ENCRYPTION_KEY</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">n8n/config</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l">ENCRYPTION_KEY</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># 2. Manifest for dynamic GitHub Token</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">external-secrets.io/v1beta1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ExternalSecret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">github-token-sync</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">whatsapp-bot</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;45m&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">secretStoreRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">vault-github-backend</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">SecretStore</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">target</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">github-auth-secret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l">GITHUB_TOKEN</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">github-app/token/whatsapp-bot</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l">token</span><span class="w"> </span></span></span></code></pre></div><p>Because this <code>ExternalSecret</code> manifest contains no actual passwords (only reference pointers to Vault), it is perfectly safe to commit to GitHub and deploy via ArgoCD. The n8n and Postgres pods then consume <code>pg-secret-live</code> natively.</p> <p>Here is the verification from the cluster showing the ExternalSecret successfully synchronized with Vault, proving the ephemeral credential pipeline is fully functional:</p> <p> <figure > <div class="flex justify-center "> <div class="w-full" > <img alt="ESO SecretSynced Status" srcset="https://example.com/blog/stage-2-automation-zero-trust/eso-proof_hu_547b9c035fee72b5.webp 320w, https://example.com/blog/stage-2-automation-zero-trust/eso-proof_hu_5571c2a63559a7fd.webp 480w, https://example.com/blog/stage-2-automation-zero-trust/eso-proof_hu_d0498f824edfd9cf.webp 760w" sizes="(max-width: 480px) 100vw, (max-width: 768px) 90vw, (max-width: 1024px) 80vw, 760px" src="https://example.com/blog/stage-2-automation-zero-trust/eso-proof_hu_547b9c035fee72b5.webp" width="760" height="235" loading="lazy" data-zoomable /></div> </div></figure> </p> <h2 id="outcomes">6. Stage II Outcomes</h2> <p>By the end of Phase 6, the cluster achieved a true DevSecOps deployment pipeline:</p> <ul> <li><strong>Zero Manual Intervention:</strong> Code pushed to Git is built by Actions, and automatically synchronized by ArgoCD.</li> <li><strong>Persistent &amp; Stateful:</strong> n8n, PostgreSQL, and Vault are securely backed by PVCs.</li> <li><strong>Zero-Trust Credentials:</strong> No sensitive data exists in the repository. Configuration is handled declaratively via OpenTofu, and credentials are injected ephemerally by Vault and ESO.</li> </ul> <p>With the deployment engine automated and secured, the cluster is ready to be exposed to the internet.</p> <p><strong>Next up:</strong> In , I cover how I secured the edge perimeter using <strong>Cloudflare Tunnels</strong> and established full-stack observability with <strong>Prometheus and Grafana</strong>.</p>