Self-hosted secrets, passwords, and certificates for Kubernetes. AES-256-GCM at rest, PAT-based machine auth, CLI + GitHub Action + K8s sync CronJob, Keycloak SSO. The self-hosted alternative to Doppler — running in production at Sensey today.
CLI, UI, GitHub Action, and PAT-authenticated machines write encrypted secrets
AES-256-GCM ciphertext at rest, scoped per organization, project, and environment
Runs every 2 minutes inside each cluster, pulls scoped secrets, writes to K8s
Annotated for Stakater Reloader — pods auto-restart on content change
Kagi is how Sensey manages every secret, password, and certificate across our Kubernetes clusters. Every production credential described here runs through Kagi today — delivered to pods by a sync CronJob and rotated without downtime via Stakater Reloader. We built it because we needed it.
AES-256-GCM at rest, per-organization scoping, and a project + environment hierarchy. Soft-delete with full audit trail — you own the data and you own the encryption keys.
A CronJob syncs Kagi projects to Kubernetes Secrets every two minutes. Pods auto-reload via Stakater Reloader annotations, so credentials rotate without manual restarts or downtime.
Personal Access Tokens (vv_ prefix, SHA-256 hashed) with optional expiry and organization scoping. The same tokens power the CLI, CI/CD pipelines, and in-cluster sync jobs.
The kagi Go CLI ships via Homebrew. A GitHub Action injects secrets into $GITHUB_ENV, kagi run -- <cmd> wraps local dev commands, and .env bulk import/export keeps existing workflows intact.
CLI, UI, GitHub Action, and PAT-authenticated machines write encrypted secrets
AES-256-GCM ciphertext at rest, scoped per organization, project, and environment
Runs every 2 minutes inside each cluster, pulls scoped secrets, writes to K8s
Annotated for Stakater Reloader — pods auto-restart on content change
Engineer or CI writes secret via CLI, UI, or GitHub Action
AES-256-GCM encryption using per-organization data key
Persisted as ciphertext in Postgres with audit metadata
CronJob pulls scoped project into in-cluster Kubernetes Secret
Pods mount the updated Secret as env vars or files
Stakater Reloader restarts affected Deployments on content change
Platform engineers replacing Doppler or Vault with a self-hosted, Kubernetes-native alternative they fully control
DevOps teams that need GitOps-friendly secret delivery with automatic pod reloads and zero-downtime rotation
Security-conscious SMEs that want full ownership of their encryption keys, audit trail, and data residency
Join the founding circle and run the same secrets platform that Sensey uses to protect its own Kubernetes workloads.
Request Early Access