This skill provides HashiCorp Vault best practices for secrets management.
Provides HashiCorp Vault best practices for secrets management, including initialization, unsealing, and External Secrets Operator integration. Activates when working with secrets in Kubernetes, managing Vault lifecycle operations, or setting up new environments.
/plugin marketplace add colek42/claude-plugins/plugin install nk-devops-tools@nkennedy-personalThis skill inherits all available tools. When active, it can use any tool Claude has access to.
This skill provides HashiCorp Vault best practices for secrets management.
Activates when:
Command: make vault-init
This initializes a new Vault instance and saves keys to vault-init/ directory.
# Initialize Vault (first time only)
make vault-init
# Keys are saved to vault-init/ directory:
# - vault-init/unseal-key-1
# - vault-init/unseal-key-2
# - vault-init/unseal-key-3
# - vault-init/root-token
Command: make vault-unseal
Required after pod restarts. Vault starts in a sealed state and must be unsealed with keys.
# Unseal Vault (after pod restart)
make vault-unseal
Why unsealing is needed:
❌ Don't:
# Don't commit these files
git add vault-init/
git commit -m "vault keys" # NEVER DO THIS
✅ Do:
# Ensure vault-init/ is in .gitignore
echo "vault-init/" >> .gitignore
# Store keys securely offline
# - Password manager
# - Encrypted backup
# - Secure key management system
❌ Don't:
// Don't hardcode secrets
const apiKey = "sk-1234567890abcdef"
password := "supersecret123"
✅ Do:
// Use environment variables from Vault
apiKey := os.Getenv("API_KEY")
// Or use External Secrets Operator
// which automatically creates k8s Secrets from Vault
External Secrets Operator manages Kubernetes Secret creation from Vault.
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: app-secrets
spec:
refreshInterval: 1h
secretStoreRef:
name: vault-backend
kind: SecretStore
target:
name: app-secrets
creationPolicy: Owner
data:
- secretKey: api-key
remoteRef:
key: secret/data/app
property: api_key
This creates a Kubernetes Secret named app-secrets with data from Vault.
# 1. Write secret to Vault
vault kv put secret/myapp/config \
api_key=abc123 \
db_password=secretpass
# 2. Create ExternalSecret CR
kubectl apply -f external-secret.yaml
# 3. Verify Kubernetes Secret was created
kubectl get secret app-secrets
kubectl describe secret app-secrets
# 1. Update secret in Vault
vault kv put secret/myapp/config api_key=newkey123
# 2. ESO automatically syncs (based on refreshInterval)
# Or manually trigger sync by deleting the k8s Secret
kubectl delete secret app-secrets
# 3. ESO recreates Secret with new value
kubectl get secret app-secrets -o yaml
# Check Vault status
kubectl exec -it vault-0 -- vault status
# Check if Vault is sealed
kubectl logs vault-0 | grep sealed
# Check External Secrets Operator
kubectl logs -n external-secrets deployment/external-secrets
# Check ExternalSecret status
kubectl describe externalsecret app-secrets
When setting up Vault in a new environment:
make vault-init to initialize Vaultvault-init/vault-init/ to .gitignoremake vault-unseal to unseal VaultWhen Vault pods restart:
# 1. Check Vault status
kubectl get pods -l app=vault
# 2. Vault will be sealed - check logs
kubectl logs vault-0 | tail -20
# 3. Unseal Vault
make vault-unseal
# 4. Verify Vault is operational
kubectl exec vault-0 -- vault status
✅ Do:
make vault-initmake vault-unseal❌ Don't:
Creating algorithmic art using p5.js with seeded randomness and interactive parameter exploration. Use this when users request creating art using code, generative art, algorithmic art, flow fields, or particle systems. Create original algorithmic art rather than copying existing artists' work to avoid copyright violations.
Applies Anthropic's official brand colors and typography to any sort of artifact that may benefit from having Anthropic's look-and-feel. Use it when brand colors or style guidelines, visual formatting, or company design standards apply.
Create beautiful visual art in .png and .pdf documents using design philosophy. You should use this skill when the user asks to create a poster, piece of art, design, or other static piece. Create original visual designs, never copying existing artists' work to avoid copyright violations.