Implement automated secrets rotation with HashiCorp Vault for database credentials, API keys, and TLS certificates. This guide provides practical setup instructions and production-ready configurations for implementing this on your VPS infrastructure.
Installation and Setup
# Install the tool on your VPS
# Follow the official installation guide for your distribution
# Most tools support Docker-based deployment for easy setup
# Quick start with Docker
docker pull secrets-rotation-hashicorp-vault:latest
docker run -d --name secrets-rotation-hashicorp-vault -p 8080:8080 secrets-rotation-hashicorp-vault:latest
# Or install natively
curl -fsSL https://install.example.com | shCore Configuration
The primary configuration covers dynamic secrets and secret engines setup. These form the foundation of a working deployment:
# Primary configuration file
# Adjust these settings based on your environment
# Enable core features
dynamic secrets:
enabled: true
interval: 300 # seconds
# Configure secret engines
secret engines:
enabled: true
targets:
- production
- staging
# Authentication and security
auth:
type: token
token_file: /etc/secrets/api-tokenautomatic rotation Configuration
Setting up automatic rotation is essential for production reliability:
# Configure automatic rotation
# This ensures your setup handles production workloads correctly
# Key settings for automatic rotation:
# 1. Set appropriate resource limits
# 2. Configure health checks
# 3. Enable logging and monitoring
# 4. Set up backup and recovery
resources:
limits:
cpu: "2"
memory: "2Gi"
requests:
cpu: "500m"
memory: "512Mi"
healthCheck:
enabled: true
interval: 30s
timeout: 10slease management Integration
Integrating lease management provides visibility into system health and performance:
# Set up monitoring and alerting
# Prometheus metrics endpoint
metrics:
enabled: true
port: 9090
path: /metrics
# Alert rules
alerts:
- name: HighErrorRate
condition: error_rate > 0.05
duration: 5m
severity: critical
notify:
- slack
- email
# Dashboard integration
# Import provided Grafana dashboards for visual monitoringaudit logging
- Security: Always use TLS for communication, rotate credentials regularly, and follow the principle of least privilege
- High availability: Run multiple instances behind a load balancer for production workloads
- Backup: Regularly back up configuration and state data
- Updates: Keep the tool updated for security patches and new features
- Documentation: Maintain runbooks for common operations and incident response
Production Deployment
# Systemd service for production
[Unit]
Description=Secrets Rotation HashiCorp Vault
After=network.target docker.service
[Service]
Type=simple
User=appuser
ExecStart=/usr/local/bin/secrets-rotation-hashicorp-vault serve --config /etc/secrets-rotation-hashicorp-vault/config.yaml
Restart=always
RestartSec=5
LimitNOFILE=65535
[Install]
WantedBy=multi-user.target
# Enable and start
sudo systemctl enable --now secrets-rotation-hashicorp-vaultSummary
This tool streamlines dynamic secrets and secret engines workflows for DevOps teams. Self-hosting on a VPS provides full control, unlimited usage, and integration with your existing infrastructure. Start with the basic configuration, add monitoring early, and gradually adopt advanced features like lease management and audit logging as your team matures its practices.