Vault & Secrets
Just-in-time secrets, brokered into every deploy — never stored in plaintext.
A two-tier secret system. The vault-broker mints scoped, short-lived leases against your meta-cluster; the vault-bridge-agent runs inside your network and proxies to whichever secret manager you already use. Manifests reference secrets by path — the platform fetches them at deploy time.
Technical docsHow it works
- 01 vault-broker authenticates to the meta-cluster with AppRole, mints a child token scoped to one job, and wraps it in a cubbyhole.
- 02 vault-bridge-agent, deployed in your network, long-polls per workspace and resolves the reference against your upstream vault.
- 03 Your manifest declares env.from_vault: secret/path#key; the orchestrator injects the value during deploy and discards the lease after.
- 04 Every issue, read and rotation emits an audit event to the control plane.
Technical docs
Technical docs Go deeper
Full technical reference — setup, schema and worked examples.