LinkedIn Draft — Workflow (2026-05-05) Something I keep explaining in architecture reviews: Secrets management: designing for rotation, not just storage Most orgs solve 'where do we store secrets securely.' The teams that get paged at 2am are the ones who never solved 'how do we rotate them without downtime.' Storage-only design: Rotation-aware design: Secret ──▶ Vault Secret ──▶ Vault ──▶ Agent Injector │ │ Pod (env var) Pod (file mount) │ │ Restart to Auto-reload ◀────── Lease renewer get new value (zero downtime) Enter fullscreen mode Exit fullscreen mode Where it breaks: ▸ Secrets as env vars require pod restarts on rotation — making rotation a deployment event with blast radius. ▸ Vault leases expiring in long-running jobs produce auth errors that look like app bugs, not infra failures. ▸ Secret sprawl across namespaces means rotation happens in 12 places — and one always gets missed. The rule I keep coming back to: → Design rotation before you design storage.…