Features / Vault

A single source for every secret

Nightshift integrates natively with HashiCorp Vault and OpenBao. API keys, tokens, and credentials are injected into agent pods at runtime, never baked into images, never written to disk.

Demo coming soon

Secrets without compromise

Every agent pod authenticates to Vault using its Kubernetes service account, fetches scoped short-lived secrets, and exposes them in-memory only. There are no static credentials in container images, no secrets stored on the agent filesystem, and no manual rotation. When an agent finishes its work the secrets are gone with it.

Related features

Runtime IsolationKata VMs and runc containers for every agentLearn more ObservabilityGrafana, Prometheus, Loki, and Tetragon built-inLearn more Network PoliciesCilium eBPF network policies and microsegmentationLearn more

Ready to deploy?

Install Nightshift into your own cluster with a single Helm chart.

Star on GitHub Get in touch