diff --git a/docs/deploy-applications/hello-world-adding-configurations.mdx b/docs/deploy-applications/hello-world-adding-configurations.mdx
index df02398ae..3b389d225 100644
--- a/docs/deploy-applications/hello-world-adding-configurations.mdx
+++ b/docs/deploy-applications/hello-world-adding-configurations.mdx
@@ -1,31 +1,31 @@
---
-id: add-secrets-with-vault
-title: Add Secrets with Vault
+id: manage-environment-secrets
+title: Manage Environment Secrets
type: tutorial
---
-# Add Secrets with Vault
+# Manage Environment Secrets
:::caution prerequisite
You must have a running app from the [Deploy Your First App](deploy-first-app) tutorial before continuing.
:::
-In this guide, you'll learn how to store sensitive values in Vault and inject them into your application as environment variables. Instead of hardcoding secrets in your deployment configuration, you'll use an **ExternalSecret** that automatically syncs values from Vault into your Kubernetes pod.
+In this guide, you'll learn how to store sensitive values in an encrypted store and inject them into your application as environment variables. Instead of hardcoding secrets in your deployment configuration, you'll use an **ExternalSecret** that automatically syncs values from your secret store into your Kubernetes pod.
We'll add a new secret alongside the `GREETING_MESSAGE` you set up in the previous tutorial.
-## 1. Create a secret in Vault
+## 1. Create a secret
:::info
-Your cluster information page has a link to Vault:
+Your cluster information page has a link to the Encrypted Secret Store:
_If the domain above doesn't look right, update your **Captain Domain** in the top navigation bar._
:::
-From the cluster info home page, click the `Link` for **Secrets Management** to open Vault. For the role, enter **editor** (you need read/write access), then click **Sign in with OIDC Provider**.
+From the cluster info home page, click the `Link` for **Secrets Management** to open the secret store. For the role, enter **editor** (you need read/write access), then click **Sign in with OIDC Provider**.
-
+
Once logged in, select the **secret/** mount point.
@@ -39,7 +39,7 @@ Enter the details for your secret:
- **Path for this secret:** Use your app name (e.g., `hello-world`)
- **Key:** `SECRET_MESSAGE` (case sensitive)
-- **Value:** `This value came from Vault!`
+- **Value:** `This value came from your Secret Store!`

@@ -94,9 +94,9 @@ externalSecret:
:::info How it works
- `externalSecret.enabled: true` turns on the ExternalSecret integration.
- `secrets.hello-world` creates an ExternalSecret named after your app.
-- `dataFrom.key: secret/hello-world` tells it to pull **all** key-value pairs from the Vault path `secret/hello-world` and inject them as environment variables.
+- `dataFrom.key: secret/hello-world` tells it to pull **all** key-value pairs from the secret path `secret/hello-world` and inject them as environment variables.
-The `GREETING_MESSAGE` from `envVariables` remains unchanged — it's a static value defined in your config. The Vault secret (`SECRET_MESSAGE`) is injected alongside it automatically.
+The `GREETING_MESSAGE` from `envVariables` remains unchanged — it's a static value defined in your config. The secret (`SECRET_MESSAGE`) is injected alongside it automatically.
:::
## 3. Deploy
@@ -108,20 +108,20 @@ Commit the changes and push. ArgoCD will sync the update in ~3 minutes.
Visit and look for both:
- `GREETING_MESSAGE=Hello, World!` — your static environment variable
-- `SECRET_MESSAGE=This value came from Vault!` — injected from Vault via ExternalSecret
+- `SECRET_MESSAGE=This value came from your Secret Store!` — injected via ExternalSecret
:::tip
-If the Vault secret doesn't appear immediately, give it a moment — the ExternalSecret controller refreshes every few seconds. You can also check the ExternalSecret resource status in the ArgoCD dashboard.
+If the secret doesn't appear immediately, give it a moment — the ExternalSecret controller refreshes every few seconds. You can also check the ExternalSecret resource status in the ArgoCD dashboard.
:::
## Key concepts
| Concept | Description |
|---------|-------------|
-| **ExternalSecret** | A Kubernetes resource that syncs secrets from an external provider (Vault) into a Kubernetes Secret. |
-| **`dataFrom`** | Pulls all key-value pairs from a Vault path — no need to list each key individually. |
+| **ExternalSecret** | A Kubernetes resource that syncs secrets from an external provider (e.g. OpenBao) into a Kubernetes Secret. |
+| **`dataFrom`** | Pulls all key-value pairs from a secret path — no need to list each key individually. |
| **`envVariables`** | Static env vars defined directly in your values file. Good for non-sensitive config. |
-| **Vault** | The secrets management system. Secrets are stored at paths like `secret/hello-world`. |
+| **OpenBao** | The secrets management system. Secrets are stored at paths like `secret/hello-world`. |
## Next steps
diff --git a/docs/deploy-applications/hello-world.mdx b/docs/deploy-applications/hello-world.mdx
index 9dedb9b6d..f2a4bf434 100644
--- a/docs/deploy-applications/hello-world.mdx
+++ b/docs/deploy-applications/hello-world.mdx
@@ -115,5 +115,5 @@ Look for `GREETING_MESSAGE=Hello, World!` in the output.
## Next steps
-- [Add Secrets with Vault](add-secrets-with-vault) — Pull sensitive configuration from Vault instead of hardcoding values.
+- [Add Secrets](manage-environment-secrets) — Pull sensitive configuration from your secret store instead of hardcoding values.
- [Traefik Ingress & Routing](/traefik-ingress) — Explore advanced routing patterns: path-based routing, middleware, rate limiting, and more.
diff --git a/docs/deploy-applications/ingress/ingress-annotations.md b/docs/deploy-applications/ingress/ingress-annotations.md
index 389661634..948b7f903 100644
--- a/docs/deploy-applications/ingress/ingress-annotations.md
+++ b/docs/deploy-applications/ingress/ingress-annotations.md
@@ -1,6 +1,6 @@
---
id: glueops-ingress-and-loadbalancer-customizations
-title: Ingress Annotations
+title: "`ingress-nginx` Annotations"
---
diff --git a/docs/deploy-applications/traefik/middleware-basicauth.md b/docs/deploy-applications/traefik/middleware-basicauth.md
index 23c66b502..91fd05b15 100644
--- a/docs/deploy-applications/traefik/middleware-basicauth.md
+++ b/docs/deploy-applications/traefik/middleware-basicauth.md
@@ -183,5 +183,6 @@ stringData:
- The Secret must be in the same namespace as the Middleware (`nonprod`)
:::caution
-The credentials in this example are stored in plain text in your values file. For production use, consider using [ExternalSecrets](https://external-secrets.io/) to pull credentials from a secrets manager like AWS Secrets Manager or HashiCorp Vault.
+The credentials in this example are stored in plain text in your values file.
+:::consider using ExternalSecrets resources to pull credentials from our secret store.
:::
diff --git a/sidebars.js b/sidebars.js
index 02855e49a..0850e7958 100644
--- a/sidebars.js
+++ b/sidebars.js
@@ -26,7 +26,7 @@ const sidebars = {
collapsible: true,
items: [
"deploy-applications/deploy-first-app",
- "deploy-applications/add-secrets-with-vault",
+ "deploy-applications/manage-environment-secrets",
"deploy-applications/ingress/glueops-ingress-and-loadbalancer-customizations",
{
type: "category",
diff --git a/src/components/about-glueops.tsx b/src/components/about-glueops.tsx
index af5a9ea7b..b69678c6e 100644
--- a/src/components/about-glueops.tsx
+++ b/src/components/about-glueops.tsx
@@ -46,7 +46,7 @@ const callouts: Callout[] = [
},
{
title: "Encrypted Secret Management",
- text: "Ensure security with an encrypted secret store for confidential values, including seamless integration with popular options like AWS Secrets Manager.",
+ text: "Ensure security with an encrypted secret store for confidential values, including seamless integration with popular options like OpenBao.",
icon: ShareIcon,
},
{