• HashiCorp Developer

  • HashiCorp Cloud Platform
  • Terraform
  • Packer
  • Consul
  • Vault
  • Boundary
  • Nomad
  • Waypoint
  • Vagrant
Vault
  • Install
  • Tutorials
  • Documentation
  • API
  • Integrations
  • Try Cloud(opens in new tab)
  • Sign up
Vault Home

Documentation

Skip to main content
  • Documentation
  • What is Vault?
  • Use Cases

  • Browser Support
  • Installing Vault

  • Vault Integration Program
  • Vault Interoperability Matrix
  • Troubleshoot

    • Overview
      • Overview
      • Agent Injector vs. Vault CSI Provider





  • Glossary


  • Resources

  • Tutorial Library
  • Certifications
  • Community Forum
    (opens in new tab)
  • Support
    (opens in new tab)
  • GitHub
    (opens in new tab)
  1. Developer
  2. Vault
  3. Documentation
  4. Platforms
  5. Kubernetes
  • Vault
  • v1.11.x
  • v1.10.x
  • v1.9.x
  • v1.8.x
  • v1.7.x
  • v1.6.x
  • v1.5.x
  • v1.4.x

ยปKubernetes

Vault can be deployed into Kubernetes using the official HashiCorp Vault Helm chart. The Helm chart allows users to deploy Vault in various configurations:

  • Dev: a single in-memory Vault server for testing Vault
  • Standalone (default): a single Vault server persisting to a volume using the file storage backend
  • High-Availability (HA): a cluster of Vault servers that use an HA storage backend such as Consul (default)
  • External: a Vault Agent Injector server that depends on an external Vault server

Use Cases

Running a Vault Service: The Vault server cluster can run directly on Kubernetes. This can be used by applications running within Kubernetes as well as external to Kubernetes, as long as they can communicate to the server via the network.

Accessing and Storing Secrets: Applications using the Vault service running in Kubernetes can access and store secrets from Vault using a number of different secret engines and authentication methods.

Running a Highly Available Vault Service: By using pod affinities, highly available backend storage (such as Consul) and auto-unseal, Vault can become a highly available service in Kubernetes.

Encryption as a Service: Applications using the Vault service running in Kubernetes can leverage the Transit secret engine as "encryption as a service". This allows applications to offload encryption needs to Vault before storing data at rest.

Audit Logs for Vault: Operators can choose to attach a persistent volume to the Vault cluster which can be used to store audit logs.

And more! Vault can run directly on Kubernetes, so in addition to the native integrations provided by Vault itself, any other tool built for Kubernetes can choose to leverage Vault.

Getting Started with Vault and Kubernetes

There are several ways to try Vault with Kubernetes in different environments.

Guides

  • Vault Installation to Minikube via Helm with Integrated Storage covers installing Vault locally using Minikube and the official Helm chart.

  • Vault Installation to Red Hat OpenShift via Helm covers installing Vault using Helm on Red Hat's OpenShift platform.

  • Integrate a Kubernetes Cluster with an External Vault provides an example of making Vault accessible via a Kubernetes service and endpoint.

  • Vault on Kubernetes Deployment Guide covers the steps required to install and configure a single HashiCorp Vault cluster as defined in the Vault on Kubernetes Reference Architecture.

Documentation

  • Vault on Kubernetes Reference Architecture provides recommended practices for running Vault on Kubernetes in production.

  • Vault on Kubernetes Security Considerations provides recommendations specific to securely running Vault in a production Kubernetes environment.

Edit this page on GitHub

On this page

  1. Kubernetes
  2. Use Cases
  3. Getting Started with Vault and Kubernetes
Give Feedback(opens in new tab)
  • Certifications
  • System Status
  • Terms of Use
  • Security
  • Privacy
  • Trademark Policy
  • Trade Controls
  • Give Feedback(opens in new tab)