Design Secrets Management for a Regulated GitOps Pipeline
Overview
What this challenge is about.
Design the secrets topology: Vault as the single source, External Secrets Operator (ESO) syncing into Kubernetes Secrets with auto-rotation. SecretStore + ClusterSecretStore boundaries per team. Sealed-secrets as a fallback for emergency break-glass. Implement for 6 services: DB passwords, OAuth client secrets, third-party API keys, TLS private keys, encryption keys, webhook signing secrets. Auto-rotate where supported (DB passwords via Vault DB engine). Deliver Vault configs, ESO configs, a 10-page audit-ready writeup, and a DSPT-mapping appendix.
The Brief
What you'll do, and what you'll demonstrate.
Replace fragmented secrets management with External Secrets Operator + Vault for 6 services and produce DSPT-audit-ready evidence the compliance team will accept.
Earning criteria — what you'll demonstrate
- Design secrets topology that scales with team count + regulatory needs
- Integrate External Secrets Operator with Vault for GitOps-native flows
- Implement auto-rotation for secrets that support it (DB credentials)
- Produce compliance evidence in a form auditors will accept
Program Fit
Where this fits in your program.
Sharpens the same skills your degree expects you to demonstrate.
Skills
Skills you'll demonstrate.
Each one shows up on your verified credential.
Careers
Roles this prepares you for.
Real titles. Real skill bridges. Pick the one closest to your trajectory.
Career mappings coming soon.