diff --git a/k8s/11.md b/k8s/11.md
new file mode 100644
index 0000000000..0770a8462d
--- /dev/null
+++ b/k8s/11.md
@@ -0,0 +1,74 @@
+## Task 1
+
+Create a secret
+
+```bash
+kubectl create secret generic my-secret --from-literal=key1=val1 --from-literal=key2=val2
+```
+
+Get secrets
+
+```bash
+kubectl get secrets
+```
+
+```
+NAME                                       TYPE                 DATA   AGE
+my-secret                                  Opaque               2      10s
+```
+
+Describe a secret
+
+```bash
+kubectl describe secret my-secret
+```
+
+```
+Name:         my-secret
+Namespace:    default
+Labels:       <none>
+Annotations:  <none>
+
+Type:  Opaque
+
+Data
+====
+key1:  4 bytes
+key2:  4 bytes
+```
+
+```bash
+kubectl get secret my-secret -o jsonpath='{.data}'
+```
+
+```
+{"key1":"dmFsMQ==","key2":"dmFsMg=="}
+```
+
+We can decode them by piping into base64 command
+
+```bash
+echo dmFsMQ== | base64 --decode # val1
+echo dmFsMg== | base64 --decode # val2
+```
+
+## HELM Secrets
+
+```bash
+gpg --gen-key # with password qwerty123
+gpg --list-keys # get fingerprint
+sops -p $FINGERPRINT helm-app-python/secrets.yaml
+helm secrets install helm-app-python helm-app-python -f ./helm-app-python/secrets.yaml --values ./helm-app-python/values.yaml
+```
+
+Get secret
+
+```bash
+kubectl exec helm-app-python-ff25659a37-043fa -- printenv | grep MY_PASSWORD
+```
+
+Output
+
+```bash
+MY_PASSWORD=qwerty123
+```
diff --git a/k8s/helm_app_python/secrets.yaml b/k8s/helm_app_python/secrets.yaml
new file mode 100644
index 0000000000..b9dcc325e2
--- /dev/null
+++ b/k8s/helm_app_python/secrets.yaml
@@ -0,0 +1,24 @@
+password: ENC[AES256_GCM,data:3DOMxH2tlZe3,iv:NcvkUkG0e65ri+OE0WvdFbWtABG5M7psIueVs4C8vaE=,tag:KaWPd1xgo0zf2FZTLUzSOQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-04-16T21:36:54Z"
+    mac: ENC[AES256_GCM,data:Rwt/3ij0J67Ki2FAC/ygVZBcGc4anA5eC/YC0oJ80Y8LcK5ryNppdOjiFWz/XrCgBoYj4KA6gocBEyHXP/mmA1ztsCHNKw0DTr+t8Tnh087nqYYf3MGVgxSeJwfz8gKMnsGWKIjiX9N7Y90TIkiu9g1QGYxTPoboRoJaycHay4E=,iv:n82iJWRJE7cVja/fV53aqlwpz78KHYkqTfQ5f6DrvbM=,tag:ZyJKIzZVOoj88a4CgwbzcA==,type:str]
+    pgp:
+        - created_at: "2024-04-16T21:36:19Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DqwFTgegr/uoSAQdArvpDYVXu+ZKxbH1EDnU4EArUzQys8jfj/HJJ+oyh+Bow
+            I+eXaPyOu3TThp9685Cxk6/AizGP9HMZacilb62jKc2eCJnaziCKWt2kfmVxjzSU
+            1GYBCQIQ7DoWTEdcTgXi9rjEY5ki07mTlF3PJtKSYRT1kZ3cSXutSqiC1HaPTZy/
+            E8rDKNplzXjc5wvVgwijsEm6mk2GrsPhi+BRw8/9VFMq6lTF7XswESo//F1ftgsh
+            mYI30vMPjy8=
+            =Pule
+            -----END PGP MESSAGE-----
+          fp: D414CA78EA1640D40F4F3C1053C2682E611998F7
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/k8s/helm_app_python/templates/deployment.yaml b/k8s/helm_app_python/templates/deployment.yaml
index 07f7144e85..704418bd3d 100644
--- a/k8s/helm_app_python/templates/deployment.yaml
+++ b/k8s/helm_app_python/templates/deployment.yaml
@@ -27,7 +27,7 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      serviceAccountName: {{ include "helm_app_python.serviceAccountName" . }}
+      serviceAccountName: app
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
diff --git a/k8s/helm_app_python/templates/secrets.yaml b/k8s/helm_app_python/templates/secrets.yaml
new file mode 100644
index 0000000000..53b75d1d1b
--- /dev/null
+++ b/k8s/helm_app_python/templates/secrets.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: credentials
+type: Opaque
+data:
+  password: {{ .Values.password | b64enc | quote }}
diff --git a/k8s/helm_app_python/values.yaml b/k8s/helm_app_python/values.yaml
index 4ec27a122a..4e2c7609c2 100644
--- a/k8s/helm_app_python/values.yaml
+++ b/k8s/helm_app_python/values.yaml
@@ -25,7 +25,11 @@ serviceAccount:
   # If not set and create is true, a name is generated using the fullname template
   name: ""
 
-podAnnotations: {}
+podAnnotations:
+  vault.hashicorp.com/role: 'internal-app'
+  vault.hashicorp.com/agent-inject: 'true'
+  vault.hashicorp.com/agent-inject-secret-database-config.txt: 'internal/data/database/config'
+
 podLabels: {}
 
 podSecurityContext: {}