MireCloud Series · Part 7 · DevSecOps Your Kubernetes Secrets Are Not Safe. Here's the Forensic Proof — and the Fix. Why your Vault + ESO setup leaks plaintext credentials into etcd, and how to close the gap with Encryption at Rest and the Vault CSI Driver. Zero Trust ⏱ ~15 min read ☸ Kubernetes v1.34 Reproducible lab Kubernetes v1.34 HashiCorp Vault External Secrets Operator Secrets Store CSI Driver AES-CBC / AES-GCM / KMS v2 etcdctl ArgoCD Cilium Gateway API ▸ TL;DR If you run HashiCorp Vault with External Secrets Operator on Kubernetes, your application secrets are stored as plaintext bytes in etcd . Any operator with kubectl get secrets , any backup of your control plane, or any disk that ever held an etcd snapshot can recover them in seconds. This post proves it with a hexdump from a live cluster, then closes the gap with two layered controls: Encryption at Rest to prot...
BUILDING MIRECLOUD A Production-Grade Kubernetes Homelab from Scratch BARE METAL · GITOPS · ZERO TRUST · OBSERVABILITY · LLM Kubernetes Cilium Keycloak Vault ArgoCD eBPF OIDC Prometheus 🐙 github.com/mirecloud/home_lab A journey through bare metal, GitOps, OIDC, and the beautiful chaos of running enterprise-grade infrastructure in your living room. There's a specific kind of madness that grips platform engineers at some point in their career. It usually starts with an innocent thought: "I should have a homelab." Then you buy one server. Then two. Then you're configuring etcd, arguing with NFS mount options at 1 AM, and explaining to your partner why the internet is down because you're "testing Cilium network policies." Welcome to MireCloud — my bare-metal Kubernetes homelab, built to mirror what real production infrastructure lo...