diff --git a/kubernetes/zuul/components/zookeeper/cert.yaml b/kubernetes/zuul/components/zookeeper/cert.yaml
index da205e90..5ee27e47 100644
--- a/kubernetes/zuul/components/zookeeper/cert.yaml
+++ b/kubernetes/zuul/components/zookeeper/cert.yaml
@@ -14,11 +14,11 @@ spec:
     - server auth
     - client auth
   dnsNames:
-    - zookeeper-0.zookeeper-headless.zuul-ci.svc.cluster.local
+    - zookeeper-0.zookeeper-headless.zuul-ci-test.svc.cluster.local
     - zookeeper-0
-    - zookeeper-1.zookeeper-headless.zuul-ci.svc.cluster.local
+    - zookeeper-1.zookeeper-headless.zuul-ci-test.svc.cluster.local
     - zookeeper-1
-    - zookeeper-2.zookeeper-headless.zuul-ci.svc.cluster.local
+    - zookeeper-2.zookeeper-headless.zuul-ci-test.svc.cluster.local
     - zookeeper-2
   issuerRef:
     name: ca-issuer
diff --git a/kubernetes/zuul/overlays/zuul_ci_test/configs/kube.config.hcl b/kubernetes/zuul/overlays/zuul_ci_test/configs/kube.config.hcl
new file mode 100644
index 00000000..5521118d
--- /dev/null
+++ b/kubernetes/zuul/overlays/zuul_ci_test/configs/kube.config.hcl
@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: Config
+current-context: otcci
+preferences: {}
+
+clusters:
+  - name: otcci
+    cluster:
+      server: "https://192.168.21.182:5443"
+      insecure-skip-tls-verify: true
+
+contexts:
+  - name: otcci
+    context:
+      cluster: otcci
+      user: otcci-admin
+
+users:
+  - name: otcci-admin
+    user:
+{{- with secret "secret/kubernetes/otcci_k8s" }}
+      client-certificate-data: "{{ base64Encode .Data.data.client_crt }}"
+      client-key-data: "{{ base64Encode .Data.data.client_key }}"
+{{- end }}
diff --git a/kubernetes/zuul/overlays/zuul_ci_test/configs/openstack/clouds.yaml.hcl b/kubernetes/zuul/overlays/zuul_ci_test/configs/openstack/clouds.yaml.hcl
new file mode 100644
index 00000000..51be5cc6
--- /dev/null
+++ b/kubernetes/zuul/overlays/zuul_ci_test/configs/openstack/clouds.yaml.hcl
@@ -0,0 +1,52 @@
+---
+# Nodepool openstacksdk configuration
+#
+# This file is deployed to nodepool launcher and builder hosts
+# and is used there to authenticate nodepool operations to clouds.
+# This file only contains projects we are launching test nodes in, and
+# the naming should correspond that used in nodepool configuration
+# files.
+#
+# Generated automatically, please do not edit directly!
+cache:
+  expiration:
+    server: 5
+    port: 5
+    floating-ip: 5
+clouds:
+  otcci-pool1:
+    auth:
+{{- with secret "secret/clouds/otcci_nodepool_pool1" }}
+{{- with secret (printf "secret/%s" .Data.data.user_secret_name) }}
+       auth_url: "{{ .Data.data.auth_url }}"
+       user_domain_name: "{{ .Data.data.user_domain_name }}"
+       username: "{{ .Data.data.username }}"
+       password: "{{ .Data.data.password }}"
+{{- end }}
+       project_name: "{{ .Data.data.project_name }}"
+{{- end }}
+    private: true
+  otcci-pool2:
+    auth:
+{{- with secret "secret/clouds/otcci_nodepool_pool2" }}
+{{- with secret (printf "secret/%s" .Data.data.user_secret_name) }}
+       auth_url: "{{ .Data.data.auth_url }}"
+       user_domain_name: "{{ .Data.data.user_domain_name }}"
+       username: "{{ .Data.data.username }}"
+       password: "{{ .Data.data.password }}"
+{{- end }}
+       project_name: "{{ .Data.data.project_name }}"
+{{- end }}
+    private: true
+  otcci-pool3:
+    auth:
+{{- with secret "secret/clouds/otcci_nodepool_pool3" }}
+{{- with secret (printf "secret/%s" .Data.data.user_secret_name) }}
+       auth_url: "{{ .Data.data.auth_url }}"
+       user_domain_name: "{{ .Data.data.user_domain_name }}"
+       username: "{{ .Data.data.username }}"
+       password: "{{ .Data.data.password }}"
+{{- end }}
+       project_name: "{{ .Data.data.project_name }}"
+{{- end }}
+    private: true
diff --git a/kubernetes/zuul/overlays/zuul_ci_test/configs/site-vars.yaml b/kubernetes/zuul/overlays/zuul_ci_test/configs/site-vars.yaml
new file mode 100644
index 00000000..aacc7e8b
--- /dev/null
+++ b/kubernetes/zuul/overlays/zuul_ci_test/configs/site-vars.yaml
@@ -0,0 +1,3 @@
+---
+zuul_base_vault_token_path: /var/run/zuul/trusted-ro/zuul-base-vault-token
+zuul_vault_addr: https://vault-lb.eco.tsi-dev.otc-service.com:8200
diff --git a/kubernetes/zuul/overlays/zuul_ci_test/configs/vault-agent/config-nodepool.hcl b/kubernetes/zuul/overlays/zuul_ci_test/configs/vault-agent/config-nodepool.hcl
new file mode 100644
index 00000000..a39b754b
--- /dev/null
+++ b/kubernetes/zuul/overlays/zuul_ci_test/configs/vault-agent/config-nodepool.hcl
@@ -0,0 +1,31 @@
+pid_file = "/home/vault/.pid"
+"auto_auth" = {
+    "method" = {
+        "mount_path" = "auth/kubernetes_otcci"
+        "config" = {
+          "role" = "zuul"
+        }
+        "type" = "kubernetes"
+      }
+    sink "file" {
+        config = {
+            path = "/home/vault/.token"
+        }
+    }
+}
+
+cache {
+    use_auto_auth_token = true
+}
+
+template {
+  destination = "/vault/secrets/openstack/clouds.yaml"
+  source = "/vault/custom/clouds.yaml.hcl"
+  perms = "0640"
+}
+
+template {
+  destination = "/vault/secrets/.kube/config"
+  source = "/vault/custom/kube.config.hcl"
+  perms = "0640"
+}
diff --git a/kubernetes/zuul/overlays/zuul_ci_test/configs/vault-agent/config-zuul.hcl b/kubernetes/zuul/overlays/zuul_ci_test/configs/vault-agent/config-zuul.hcl
new file mode 100644
index 00000000..b7315220
--- /dev/null
+++ b/kubernetes/zuul/overlays/zuul_ci_test/configs/vault-agent/config-zuul.hcl
@@ -0,0 +1,55 @@
+pid_file = "/home/vault/.pid"
+"auto_auth" = {
+    "method" = {
+        "mount_path" = "auth/kubernetes_otcci"
+        "config" = {
+          "role" = "zuul"
+        }
+        "type" = "kubernetes"
+      }
+    sink "file" {
+        config = {
+            path = "/home/vault/.token"
+        }
+    }
+}
+
+cache {
+    use_auto_auth_token = true
+}
+
+template {
+  destination = "/vault/secrets/connections/github.key"
+  contents = <<EOT
+{{- with secret "secret/zuul/connections/github" }}{{ .Data.data.app_key }}{{ end }}
+EOT
+  perms = "0600"
+}
+template {
+  destination = "/vault/secrets/connections/gitlab.key"
+  contents = <<EOT
+{{ with secret "secret/zuul/connections/gitlab" }}{{ .Data.data.ssh_key }}{{ end }}
+EOT
+  perms = "0600"
+}
+template {
+  destination = "/vault/secrets/connections/gitea.key"
+  contents = <<EOT
+{{ with secret "secret/zuul/connections/gitea" }}{{ .Data.data.ssh_key }}{{ end }}
+EOT
+  perms = "0600"
+}
+
+template {
+  destination = "/vault/secrets/zuul.conf"
+  source = "/vault/custom/zuul.conf.hcl"
+  perms = "0644"
+  # exec = { command = "sh -c '{ if [ -f /secrets/config.check ]; then kubectl -n zuul-ci-test rollout restart statefulset zuul-executor; else touch /secrets/config.check; fi }'", timeout = "30s" }
+}
+template {
+  destination = "/vault/secrets/sshkey"
+  contents = <<EOT
+{{- with secret "secret/zuul/sshkey" }}{{ .Data.data.private_key }}{{ end }}
+EOT
+  perms = "0600"
+}
diff --git a/kubernetes/zuul/overlays/zuul_ci_test/configs/vault-agent/executor-base-vault-agent.hcl b/kubernetes/zuul/overlays/zuul_ci_test/configs/vault-agent/executor-base-vault-agent.hcl
new file mode 100644
index 00000000..2e0f2ab7
--- /dev/null
+++ b/kubernetes/zuul/overlays/zuul_ci_test/configs/vault-agent/executor-base-vault-agent.hcl
@@ -0,0 +1,29 @@
+pid_file = "/home/vault/.pid"
+
+"auto_auth" = {
+    "method" = {
+        "mount_path" = "auth/kubernetes_otcci"
+        "config" = {
+          # Here we explicitly request zuul-base role which gives access to 
+          # only certain policies
+          "role" = "zuul-base"
+        }
+        "type" = "kubernetes"
+      }
+    sink "file" {
+        config = {
+            # Write token into the file zuul executor reads
+            path = "/var/run/zuul/trusted-ro/zuul-base-vault-token"
+        }
+    }
+}
+
+cache {
+    use_auto_auth_token = true
+}
+
+# Vault agent requires at least one template or listener is present. Add a socket
+listener "unix" {
+    address = "/home/vault/vault_agent.socket"
+    tls_disable = true
+}
diff --git a/kubernetes/zuul/overlays/zuul_ci_test/configs/zuul.conf.hcl b/kubernetes/zuul/overlays/zuul_ci_test/configs/zuul.conf.hcl
new file mode 100644
index 00000000..86de715d
--- /dev/null
+++ b/kubernetes/zuul/overlays/zuul_ci_test/configs/zuul.conf.hcl
@@ -0,0 +1,109 @@
+[zookeeper]
+hosts=zookeeper.zuul-ci-test.svc.cluster.local:2281
+tls_cert=/tls/client/tls.crt
+tls_key=/tls/client/tls.key
+tls_ca=/tls/client/ca.crt
+session_timeout=40
+
+[scheduler]
+#tenant_config=/etc/zuul-config/zuul/main.yaml
+tenant_config_script=/etc/zuul-config/tools/render_config.py
+state_dir=/var/lib/zuul
+relative_priority=true
+prometheus_port=9091
+
+[web]
+listen_address=0.0.0.0
+port=9000
+status_url=https://zuul-test.otc-service.com
+root=https://zuul-test.otc-service.com
+prometheus_port=9091
+
+[fingergw]
+port=9079
+user=zuul
+
+[keystore]
+{{- with secret "secret/zuul/keystore_password" }}
+password={{ .Data.data.password }}
+{{- end }}
+
+[merger]
+git_dir=/var/lib/zuul/git
+git_timeout=600
+git_user_email=zuul@zuul.otc-service.com
+git_user_name=OpenTelekomCloud Zuul
+prometheus_port=9091
+
+[executor]
+manage_ansible=true
+ansible_root=/var/lib/zuul/managed_ansible
+private_key_file=/etc/zuul/sshkey
+disk_limit_per_job=2000
+max_starting_builds=5
+trusted_ro_paths=/var/run/zuul/trusted-ro
+variables=/var/run/zuul/vars/site-vars.yaml
+prometheus_port=9091
+
+[database]
+{{- with secret "database/static-creds/zuul-static-test" }}
+dburi=postgresql://{{ .Data.username }}:{{ .Data.password }}@192.168.21.196:5432/zuul?sslmode=require
+{{- end }}
+
+[connection "github"]
+name=github
+driver=github
+{{- with secret "secret/zuul/connections/github" }}
+webhook_token={{ .Data.data.webhook_token }}
+app_id={{ .Data.data.app_id }}
+{{- end }}
+app_key=/etc/zuul/connections/github.key
+
+[connection "gitlab"]
+name=gitlab
+driver=gitlab
+canonical_hostname=gitlab
+cloneurl=ssh://git@git-ssh.tsi-dev.otc-service.com
+server=git.tsi-dev.otc-service.com
+{{- with secret "secret/zuul/connections/gitlab" }}
+api_token={{ .Data.data.api_token }}
+webhook_token={{ .Data.data.webhook_token }}
+{{- end }}
+sshkey=/etc/zuul/connections/gitlab.key
+
+[connection "opendev"]
+name=opendev
+driver=git
+baseurl=https://opendev.org
+
+[connection "gitea"]
+name=gitea
+driver=gitea
+baseurl=https://gitea.eco.tsi-dev.otc-service.com
+server=gitea.eco.tsi-dev.otc-service.com
+cloneurl=ssh://git@gitea.eco.tsi-dev.otc-service.com:2222
+{{- with secret "secret/zuul/connections/gitea" }}
+api_token={{ .Data.data.api_token }}
+webhook_secret={{ .Data.data.webhook_secret }}
+{{- end }}
+sshkey=/etc/zuul/connections/gitea.key
+
+[connection "smtp"]
+name=smtp
+driver=smtp
+server=otc-de-out.mms.t-systems-service.com
+port=25
+default_from=zuul@zuul.otc-service.com
+default_to=DL-PBCOTCDELECOCERT@t-systems.com
+{{- with secret "secret/smtp_gw" }}
+user={{ .Data.data.username }}
+password={{ .Data.data.password }}
+{{- end }}
+use_starttls=True
+
+[auth "keycloak"]
+default=True
+driver=OpenIDConnect
+realm=eco
+issuer_id=https://keycloak.eco.tsi-dev.otc-service.com/realms/eco
+client_id=zuul
diff --git a/kubernetes/zuul/overlays/zuul_ci_test/crb.yaml b/kubernetes/zuul/overlays/zuul_ci_test/crb.yaml
new file mode 100644
index 00000000..34bc45b5
--- /dev/null
+++ b/kubernetes/zuul/overlays/zuul_ci_test/crb.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: "rbac.authorization.k8s.io/v1"
+kind: "ClusterRoleBinding"
+metadata:
+  name: "zuul-vault-crb"
+roleRef:
+  apiGroup: "rbac.authorization.k8s.io"
+  kind: "ClusterRole"
+  name: "system:auth-delegator"
+subjects:
+  - kind: "ServiceAccount"
+    name: "zuul"
+    namespace: "zuul-ci-test"
diff --git a/kubernetes/zuul/overlays/zuul_ci_test/crb_admin.yaml b/kubernetes/zuul/overlays/zuul_ci_test/crb_admin.yaml
new file mode 100644
index 00000000..fba5b09b
--- /dev/null
+++ b/kubernetes/zuul/overlays/zuul_ci_test/crb_admin.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: "rbac.authorization.k8s.io/v1"
+kind: "ClusterRoleBinding"
+metadata:
+  name: "zuul-admin-crb"
+roleRef:
+  kind: "ClusterRole"
+  name: "cluster-admin"
+  apiGroup: ""
+subjects:
+  - kind: "ServiceAccount"
+    name: "zuul"
+    namespace: "zuul-ci-test"
diff --git a/kubernetes/zuul/overlays/zuul_ci_test/kustomization.yaml b/kubernetes/zuul/overlays/zuul_ci_test/kustomization.yaml
new file mode 100644
index 00000000..b944a870
--- /dev/null
+++ b/kubernetes/zuul/overlays/zuul_ci_test/kustomization.yaml
@@ -0,0 +1,184 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+components:
+  - ../../components/zuul-client
+  - ../../components/zuul-merger
+  - ../../components/nodepool-builder
+  - ../../components/restarter
+
+configMapGenerator:
+  - name: "vault-agent-config"
+    files:
+      - "config-zuul.hcl=configs/vault-agent/config-zuul.hcl"
+      - "config-nodepool.hcl=configs/vault-agent/config-nodepool.hcl"
+      - "executor-base-vault-agent.hcl=configs/vault-agent/executor-base-vault-agent.hcl"
+  - name: "zuul-instance-config"
+    behavior: "replace"
+    literals:
+      - ZUUL_CONFIG_REPO=https://github.com/opentelekomcloud-infra/zuul-config/
+  - name: "zuul-executor-vars"
+    behavior: "replace"
+    files:
+      - "configs/site-vars.yaml"
+
+labels:
+  - includeSelectors: true
+    pairs:
+      app.kubernetes.io/instance: zuul-ci-test
+
+images:
+  - name: "busybox"
+    newName: "docker.io/library/busybox"
+    newTag: "1.37.0-musl"
+
+  - name: "hashicorp/vault"
+    newName: "hashicorp/vault"
+    newTag: "1.18.2"
+
+  - name: "zuul/zuul-executor"
+    newName: "quay.io/opentelekomcloud/zuul-executor"
+    newTag: "change_1157_change_859940"
+
+  - name: "zuul/zuul-merger"
+    newName: "quay.io/opentelekomcloud/zuul-merger"
+    newTag: "change_1157_change_859940"
+
+  - name: "zuul/zuul-scheduler"
+    newName: "quay.io/opentelekomcloud/zuul-scheduler"
+    newTag: "change_1157_change_859940"
+
+  - name: "zuul/zuul-web"
+    newName: "quay.io/opentelekomcloud/zuul-web"
+    newTag: "change_1157_change_859940"
+
+  - name: "zuul/nodepool-builder"
+    newName: "quay.io/zuul-ci/nodepool-builder"
+    newTag: "11.0.0"
+
+  - name: "zuul/nodepool-launcher"
+    newName: "quay.io/zuul-ci/nodepool-launcher"
+    newTag: "11.0.0"
+
+patches:
+  # Patch zookeeper (storage class, size and count)
+  - patch: |-
+      - op: replace
+        path: /spec/replicas
+        value: 3
+
+      - op: add
+        path: /spec/volumeClaimTemplates/0/spec/storageClassName
+        value: "csi-disk"
+
+      - op: add
+        path: /spec/volumeClaimTemplates/0/spec/resources/requests/storage
+        value: "5Gi"
+    target:
+      group: apps
+      kind: StatefulSet
+      name: zookeeper
+      version: v1
+
+  # Path zuul components (replace config and enable vault)
+  - patch: |-
+      - op: replace
+        path: /spec/template/spec/volumes/0
+        value:
+          name: "zuul-config"
+          emptyDir:
+            medium: "Memory"
+    target:
+      labelSelector: "app.kubernetes.io/name=zuul,app.kubernetes.io/component in (zuul-scheduler,zuul-executor,zuul-merger,zuul-web,zuul-client)"
+      group: apps
+      version: v1
+
+  - path: patch-zuul.yaml
+    target:
+      labelSelector: "app.kubernetes.io/name=zuul,app.kubernetes.io/component in (zuul-scheduler,zuul-executor,zuul-merger,zuul-web,zuul-client)"
+      group: apps
+      version: v1
+
+  # Patching zuul-executor count
+  - patch: |-
+      - op: replace
+        path: /spec/replicas
+        value: 2
+    target:
+      labelSelector: "app.kubernetes.io/name=zuul,app.kubernetes.io/component=zuul-executor"
+      group: apps
+      version: v1
+
+  # Add zuul-executor base job vault token
+  - path: patch-zuul-executor.yaml
+    target:
+      labelSelector: "app.kubernetes.io/name=zuul,app.kubernetes.io/component=zuul-executor"
+      group: apps
+      version: v1
+
+  # Patching Nodepool components (replace config and enable vault)
+  - patch: |-
+      - op: replace
+        path: /spec/template/spec/volumes/0
+        value:
+          name: "nodepool-config"
+          emptyDir: {}
+    target:
+      labelSelector: "app.kubernetes.io/name=zuul,app.kubernetes.io/component in (nodepool-launcher,nodepool-builder)"
+      group: apps
+      version: v1
+
+  - path: patch-nodepool.yaml
+    target:
+      labelSelector: "app.kubernetes.io/name=zuul,app.kubernetes.io/component in (nodepool-launcher,nodepool-builder)"
+      group: apps
+      version: v1
+
+  # Patching web
+  - patch: |-
+      - op: replace
+        path: /spec/ingressClassName
+        value: nginx
+      - op: replace
+        path: /spec/rules/0/host
+        value: zuul.otc-service.com
+      - op: replace
+        path: /metadata/annotations
+        value:
+          cert-manager.io/cluster-issuer: letsencrypt-prod
+      - op: replace
+        path: /spec/tls
+        value:
+          - hosts:
+              - zuul.otc-service.com
+            secretName: zuul-cert-prod
+    target:
+      group: networking.k8s.io
+      kind: Ingress
+      name: zuul-web
+      version: v1
+
+resources:
+  - ../../base
+  - crb.yaml
+  - crb_admin.yaml
+
+secretGenerator:
+  # Replacing general secrets to be able to trigger updates
+  - name: zuul-config
+    behavior: "replace"
+    files:
+      - "configs/zuul.conf.hcl"
+  - name: nodepool-config
+    behavior: "replace"
+    files:
+      - "configs/openstack/clouds.yaml.hcl"
+  # Vault configs
+  - name: vault-config-zuul
+    files:
+      - "configs/zuul.conf.hcl"
+  - name: vault-config-nodepool
+    files:
+      - "configs/openstack/clouds.yaml.hcl"
+      - "configs/kube.config.hcl"
diff --git a/kubernetes/zuul/overlays/zuul_ci_test/patch-nodepool.yaml b/kubernetes/zuul/overlays/zuul_ci_test/patch-nodepool.yaml
new file mode 100644
index 00000000..edbfb760
--- /dev/null
+++ b/kubernetes/zuul/overlays/zuul_ci_test/patch-nodepool.yaml
@@ -0,0 +1,143 @@
+---
+# Adding HashiCorp Vault agent  sidecar to render nodepool configs
+apiVersion: apps/v1
+kind: not-used
+metadata:
+  name: not-used
+spec:
+  template:
+    spec:
+      containers:
+        - name: "nodepool"
+          volumeMounts:
+            - name: "vault-secrets"
+              mountPath: "/etc/openstack"
+              subPath: "openstack"
+            - name: "vault-secrets"
+              mountPath: "/var/lib/nodepool/.kube"
+              subPath: ".kube"
+
+        - name: "vault-agent"
+          args:
+            - touch /home/vault/.vault-token && vault agent -config=/vault/configs/config-nodepool.hcl
+          command:
+            - "/bin/sh"
+            - "-ec"
+          env:
+            - name: "VAULT_ADDR"
+              value: "https://vault-lb.eco.tsi-dev.otc-service.com:8200"
+            - name: "VAULT_LOG_LEVEL"
+              value: "info"
+            - name: "VAULT_LOG_FORMAT"
+              value: "standard"
+          image: "hashicorp/vault"
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsGroup: 10001
+            runAsNonRoot: true
+            runAsUser: 10001
+          resources:
+            limits:
+              memory: "1Gi"
+            requests:
+              cpu: 5m
+              memory: "1Gi"
+          volumeMounts:
+            - mountPath: "/home/vault"
+              name: "home-init"
+            - mountPath: "/var/run/secrets/kubernetes.io/serviceaccount"
+              name: "kube-api-access"
+              readOnly: true
+            - mountPath: "/vault/secrets"
+              name: "vault-secrets"
+            - mountPath: "/vault/custom"
+              name: "extra-secrets"
+              readOnly: true
+            - mountPath: "/vault/configs"
+              name: "vault-config"
+              readOnly: true
+
+      initContainers:
+        - name: "vault-agent-init"
+          args:
+            - touch /home/vault/.vault-token && vault agent -config=/vault/configs/config-nodepool.hcl -exit-after-auth=true
+          command:
+            - "/bin/sh"
+            - "-ec"
+          env:
+            - name: "VAULT_ADDR"
+              value: "https://vault-lb.eco.tsi-dev.otc-service.com:8200"
+            - name: "VAULT_LOG_LEVEL"
+              value: "debug"
+            - name: "VAULT_LOG_FORMAT"
+              value: "standard"
+          image: "hashicorp/vault"
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsGroup: 10001
+            runAsNonRoot: true
+            runAsUser: 10001
+          resources:
+            limits:
+              memory: "64Mi"
+            requests:
+              cpu: "5m"
+              memory: "64Mi"
+          volumeMounts:
+            - mountPath: "/home/vault"
+              name: "home-init"
+            - mountPath: "/var/run/secrets/kubernetes.io/serviceaccount"
+              name: "kube-api-access"
+              readOnly: true
+            - mountPath: "/vault/secrets"
+              name: "vault-secrets"
+            - mountPath: "/vault/custom"
+              name: "extra-secrets"
+              readOnly: true
+            - mountPath: "/vault/configs"
+              name: "vault-config"
+              readOnly: true
+
+      volumes:
+        - name: "kube-api-access"
+          projected:
+            defaultMode: 420
+            sources:
+              - serviceAccountToken:
+                  expirationSeconds: 7200
+                  path: "token"
+              - configMap:
+                  items:
+                    - key: "ca.crt"
+                      path: "ca.crt"
+                  name: "kube-root-ca.crt"
+              - downwardAPI:
+                  items:
+                    - fieldRef:
+                        apiVersion: "v1"
+                        fieldPath: "metadata.namespace"
+                      path: "namespace"
+        - emptyDir:
+            medium: "Memory"
+          name: "home-init"
+        - emptyDir:
+            medium: "Memory"
+          name: "home-sidecar"
+        - emptyDir:
+            medium: "Memory"
+          name: "vault-secrets"
+        - name: "vault-config"
+          configMap:
+            name: "vault-agent-config"
+        - name: "extra-secrets"
+          secret:
+            defaultMode: 420
+            secretName: "vault-config-nodepool"
diff --git a/kubernetes/zuul/overlays/zuul_ci_test/patch-zuul-executor.yaml b/kubernetes/zuul/overlays/zuul_ci_test/patch-zuul-executor.yaml
new file mode 100644
index 00000000..57888d28
--- /dev/null
+++ b/kubernetes/zuul/overlays/zuul_ci_test/patch-zuul-executor.yaml
@@ -0,0 +1,59 @@
+---
+# In order to enable access to HashiCorp Vault inside jobs it is required to
+# provide a base vault token in the executor. It is done by spinning additional
+# vault-agent sidecar container which only writes vault access token with
+# specified role (and strictly limited privileges) to the specified location,
+# from which trusted jobs can read it and further use as defined by jobs.
+apiVersion: apps/v1
+kind: not-used
+metadata:
+  name: not-used
+spec:
+  template:
+    spec:
+      containers:
+        - name: "vault-agent-executor-base"
+          args:
+            - vault agent -config=/vault/configs/executor-base-vault-agent.hcl
+          command:
+            - "/bin/sh"
+            - "-ec"
+          env:
+            - name: "VAULT_ADDR"
+              value: "https://vault-lb.eco.tsi-dev.otc-service.com:8200"
+            - name: "VAULT_LOG_LEVEL"
+              value: "debug"
+            - name: "VAULT_LOG_FORMAT"
+              value: "standard"
+          image: "hashicorp/vault"
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            # For some weird reason we need to have content as root, otherwise
+            # zuul executor (ansible) is not able to access file
+          resources:
+            limits:
+              memory: "64Mi"
+            requests:
+              cpu: "5m"
+              memory: "64Mi"
+          volumeMounts:
+            - mountPath: "/home/vault"
+              name: "home-vault-base"
+            - mountPath: "/var/run/secrets/kubernetes.io/serviceaccount"
+              name: "kube-api-access"
+              readOnly: true
+            - mountPath: "/vault/configs"
+              name: "vault-config"
+              readOnly: true
+            - mountPath: "/var/run/zuul/trusted-ro"
+              # since we want to populate it - no readonly
+              name: "zuul-trusted-ro"
+
+      volumes:
+        - name: "home-vault-base"
+          emptyDir:
+            medium: "Memory"
diff --git a/kubernetes/zuul/overlays/zuul_ci_test/patch-zuul.yaml b/kubernetes/zuul/overlays/zuul_ci_test/patch-zuul.yaml
new file mode 100644
index 00000000..49f97ba5
--- /dev/null
+++ b/kubernetes/zuul/overlays/zuul_ci_test/patch-zuul.yaml
@@ -0,0 +1,138 @@
+---
+# Add HashiCorp Vault agent sidecars to render Zuul config
+apiVersion: apps/v1
+kind: not-used
+metadata:
+  name: not-used
+spec:
+  template:
+    spec:
+      hostAliases:
+        - hostnames:
+            - git.tsi-dev.otc-service.com
+          ip: 192.168.170.142
+        - hostnames:
+            - artifacts.eco.tsi-dev.otc-service.com
+          ip: 192.168.170.129
+      containers:
+        - name: "vault-agent"
+          args:
+            - touch /home/vault/.vault-token && vault agent -config=/vault/configs/config-zuul.hcl
+          command:
+            - "/bin/sh"
+            - "-ec"
+          env:
+            - name: "VAULT_ADDR"
+              value: "https://vault-lb.eco.tsi-dev.otc-service.com:8200"
+            - name: "VAULT_LOG_LEVEL"
+              value: "debug"
+            - name: "VAULT_LOG_FORMAT"
+              value: "standard"
+          image: "hashicorp/vault"
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsGroup: 10001
+            runAsNonRoot: true
+            runAsUser: 10001
+          resources:
+            limits:
+              memory: 1Gi
+            requests:
+              cpu: 5m
+              memory: 1Gi
+          volumeMounts:
+            - mountPath: "/home/vault"
+              name: "home-init"
+            - mountPath: "/var/run/secrets/kubernetes.io/serviceaccount"
+              name: "kube-api-access"
+              readOnly: true
+            - mountPath: "/vault/secrets"
+              name: "zuul-config"
+            - mountPath: "/vault/custom"
+              name: "extra-secrets"
+              readOnly: true
+            - mountPath: "/vault/configs"
+              name: "vault-config"
+              readOnly: true
+
+      initContainers:
+        - name: "vault-agent-init"
+          args:
+            - touch /home/vault/.vault-token && vault agent -config=/vault/configs/config-zuul.hcl -exit-after-auth=true
+          command:
+            - "/bin/sh"
+            - "-ec"
+          env:
+            - name: "VAULT_ADDR"
+              value: "https://vault-lb.eco.tsi-dev.otc-service.com:8200"
+            - name: "VAULT_LOG_LEVEL"
+              value: "debug"
+            - name: "VAULT_LOG_FORMAT"
+              value: "standard"
+          image: "hashicorp/vault"
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsGroup: 10001
+            runAsNonRoot: true
+            runAsUser: 10001
+          resources:
+            limits:
+              memory: "64Mi"
+            requests:
+              cpu: "5m"
+              memory: "64Mi"
+          volumeMounts:
+            - mountPath: "/home/vault"
+              name: "home-init"
+            - mountPath: "/var/run/secrets/kubernetes.io/serviceaccount"
+              name: "kube-api-access"
+              readOnly: true
+            - mountPath: "/vault/secrets"
+              name: "zuul-config"
+            - mountPath: "/vault/custom"
+              name: "extra-secrets"
+              readOnly: true
+            - mountPath: "/vault/configs"
+              name: "vault-config"
+              readOnly: true
+
+      volumes:
+        - name: "kube-api-access"
+          projected:
+            defaultMode: 420
+            sources:
+              - serviceAccountToken:
+                  expirationSeconds: 7200
+                  path: "token"
+              - configMap:
+                  items:
+                    - key: "ca.crt"
+                      path: "ca.crt"
+                  name: "kube-root-ca.crt"
+              - downwardAPI:
+                  items:
+                    - fieldRef:
+                        apiVersion: "v1"
+                        fieldPath: "metadata.namespace"
+                      path: "namespace"
+        - name: "home-init"
+          emptyDir:
+            medium: "Memory"
+        - name: "home-sidecar"
+          emptyDir:
+            medium: "Memory"
+        - name: "vault-config"
+          configMap:
+            name: "vault-agent-config"
+        - name: "extra-secrets"
+          secret:
+            defaultMode: 420
+            secretName: "vault-config-zuul"