I want a centralized way to manage keys and secrets. And some service users with little privileges over a subset of the secrets.
Ideally, a service user only should be able to read its own subset of secrets. So, let's say, if a container gets pwned it will only read its secrets and no more.
It should be FOSS and self-hostable.
And a beautiful nice-to-have feature would be access log, to know who read what and when.
My only experience with something similar is Hashicorp Vault, but I don't want to be near any Hashicorp stuff ever again.