diff --git a/platform/vault/files/generate-secrets/go.mod b/platform/vault/files/generate-secrets/go.mod
new file mode 100644
index 00000000..f753ee94
--- /dev/null
+++ b/platform/vault/files/generate-secrets/go.mod
@@ -0,0 +1,52 @@
+module git.khuedoan.com/khuedoan/homelab/vault/init
+
+go 1.17
+
+require github.com/hashicorp/vault/api v1.4.1
+
+require (
+	github.com/armon/go-metrics v0.3.9 // indirect
+	github.com/armon/go-radix v1.0.0 // indirect
+	github.com/cenkalti/backoff/v3 v3.0.0 // indirect
+	github.com/fatih/color v1.7.0 // indirect
+	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/golang/snappy v0.0.4 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-hclog v0.16.2 // indirect
+	github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/hashicorp/go-plugin v1.4.3 // indirect
+	github.com/hashicorp/go-retryablehttp v0.6.6 // indirect
+	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
+	github.com/hashicorp/go-secure-stdlib/mlock v0.1.1 // indirect
+	github.com/hashicorp/go-secure-stdlib/parseutil v0.1.1 // indirect
+	github.com/hashicorp/go-secure-stdlib/strutil v0.1.1 // indirect
+	github.com/hashicorp/go-sockaddr v1.0.2 // indirect
+	github.com/hashicorp/go-uuid v1.0.2 // indirect
+	github.com/hashicorp/go-version v1.2.0 // indirect
+	github.com/hashicorp/golang-lru v0.5.4 // indirect
+	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/hashicorp/vault/sdk v0.4.1 // indirect
+	github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb // indirect
+	github.com/mattn/go-colorable v0.1.6 // indirect
+	github.com/mattn/go-isatty v0.0.12 // indirect
+	github.com/mitchellh/copystructure v1.0.0 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/go-testing-interface v1.0.0 // indirect
+	github.com/mitchellh/mapstructure v1.4.2 // indirect
+	github.com/mitchellh/reflectwalk v1.0.0 // indirect
+	github.com/oklog/run v1.0.0 // indirect
+	github.com/pierrec/lz4 v2.5.2+incompatible // indirect
+	github.com/ryanuber/go-glob v1.0.0 // indirect
+	go.uber.org/atomic v1.9.0 // indirect
+	golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97 // indirect
+	golang.org/x/net v0.0.0-20210226172049-e18ecbb05110 // indirect
+	golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c // indirect
+	golang.org/x/text v0.3.3 // indirect
+	golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1 // indirect
+	google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013 // indirect
+	google.golang.org/grpc v1.41.0 // indirect
+	google.golang.org/protobuf v1.26.0 // indirect
+	gopkg.in/square/go-jose.v2 v2.5.1 // indirect
+)
diff --git a/platform/vault/files/generate-secrets/main.go b/platform/vault/files/generate-secrets/main.go
new file mode 100644
index 00000000..72d2c743
--- /dev/null
+++ b/platform/vault/files/generate-secrets/main.go
@@ -0,0 +1,36 @@
+package main
+
+import (
+	"log"
+	// "crypto/rand"
+
+	vault "github.com/hashicorp/vault/api"
+)
+
+func main() {
+	config := vault.DefaultConfig()
+
+	config.Address = "http://127.0.0.1:8200"
+
+	client, err := vault.NewClient(config)
+	if err != nil {
+		log.Fatalf("unable to initialize Vault client: %v", err)
+	}
+
+	// Authenticate
+	// WARNING: This quickstart uses the root token for our Vault dev server.
+	// Don't do this in production!
+	client.SetToken("root") // TODO use secure token
+
+	secretData := map[string]interface{}{
+		"data": map[string]interface{}{
+			"value": "verystronkpassword",
+		},
+	}
+
+	_, err = client.Logical().Write("secret/data/gitea/admin-password", secretData)
+	if err != nil {
+		log.Fatalf("Unable to write secret: %v", err)
+	}
+	log.Println("Secret written successfully.")
+}
diff --git a/platform/vault/templates/generate-secrets-source.yaml b/platform/vault/templates/generate-secrets-source.yaml
new file mode 100644
index 00000000..6630acc2
--- /dev/null
+++ b/platform/vault/templates/generate-secrets-source.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: generate-secrets-source
+  namespace: {{ .Release.Namespace }}
+data:
+{{ (.Files.Glob "files/generate-secrets/*").AsConfig | indent 2 }}