feat: add native HashiCorp Vault integration for secrets management

[d0dg3r]

Proposed change

Summary

This PR adds native HashiCorp Vault integration to Dockhand, enabling stacks to fetch secrets directly from Vault and inject them as environment variables during deployment.

Motivation

Note: This is more of a Proof of Concept than a polished PR. I found it easier to demonstrate the feature through working code rather than just describing it in words.

Users using HashiCorp Vault as their secrets management solution currently have no way to integrate it directly with Dockhand. This creates friction and potential security gaps when managing Docker stacks. This feature bridges that gap while maintaining Dockhand's simplicity and security focus.

I'm open to feedback on the approach and happy to refine the implementation based on your guidance.

Changes

New Files:

• src/lib/server/vault.ts - Vault client with Token/AppRole/Kubernetes auth
• src/lib/server/vault-sync.ts - Secret synchronization logic
• src/lib/server/secrets-file.ts - .secrets.yaml parser
• src/routes/api/vault/* - API endpoints for Vault configuration
• src/routes/settings/vault/VaultTab.svelte - Settings UI component
• docs/VAULT_INTEGRATION.md - Architecture documentation
• docs/VAULT_TUTORIAL.md - Step-by-step setup guide
• docs/examples/vault-test/ - Example stack files

Database Migrations:

• drizzle/0004_add_vault_config.sql / drizzle-pg/0004_add_vault_config.sql
• drizzle/0005_add_vault_tls_skip.sql / drizzle-pg/0005_add_vault_tls_skip.sql

Modified Files:

• Schema files for vaultConfig table
• src/lib/server/git.ts - Vault sync integration in Git stack flow
• src/routes/stacks/+page.svelte - Added Git/Vault/All sync buttons
• src/lib/config/grid-columns.ts - Wider actions column for new buttons

Features

Feature	Description
Multiple Auth Methods	Token, AppRole, Kubernetes
.secrets.yaml	Stack-level secret mappings in Git repos
Flexible Mapping	Simple or explicit key mapping with path overrides
Auto-Redeploy	triggerRedeploy flag for automatic redeployment on secret change
Granular Sync	Separate Git / Vault / All sync buttons in UI
Self-signed TLS	Skip TLS verification option for internal Vault servers

How to Test

1. Setup Vault (Docker dev server):

docker run -d --name vault-dev -p 8200:8200 \
  -e 'VAULT_DEV_ROOT_TOKEN_ID=myroot' \
  hashicorp/vault:latest

2. Create test secrets:

export VAULT_ADDR='http://localhost:8200'
export VAULT_TOKEN='myroot'
vault kv put secret/test DATABASE_PASSWORD="secret123"

3. Configure in Dockhand: Settings > Vault > Enter URL and Token > Test Connection

4. Create Git stack with .secrets.yaml:

vault:
  path: secret/data/test
secrets:
  - DATABASE_PASSWORD

5. Sync and Deploy: Use the sync buttons to fetch secrets and deploy

Full tutorial available in docs/VAULT_TUTORIAL.md

Dependencies

No new runtime dependencies (uses native fetch for Vault API)

Breaking Changes

None. Vault integration is fully optional and disabled by default.

Closes #(issue or discussion)

Type of change

• Bug fix: non-breaking change which fixes an issue.
• [ x] New feature / Enhancement: non-breaking change which adds functionality.
• Breaking change: fix or feature that would cause existing functionality to not work as expected.
• Other. Please explain:

[CLAassistant]

All committers have signed the CLA.

[lucas-fs]

@d0dg3r Nice work on this PoC! 🚀
This definitely can be used as inspiration to add the functionality mentioned on #243

[d0dg3r]

@d0dg3r Nice work on this PoC! 🚀 This definitely can be used as inspiration to add the functionality mentioned on #243

Thanks, yes exactly.