Vault Secrets Operator
The Vault Secrets Operator (VSO) supports Vault as a secret source, which lets you seamlessly integrate VSO with a Vault instance running on any platform.
Supported Vault platform and version
Platform | Version |
---|---|
Vault Enterprise/Community | 1.11+ |
HCP Vault Dedicated | 1.11+ |
Features
Vault Secrets Operator supports the following Vault features:
- Sync from multiple instances of Vault.
- All Vault secret engines supported.
- TLS/mTLS communications with Vault.
- Support for all VSO features, including performing a rollout-restart upon secret rotation or during drift remediation.
- Cross Vault namespace authentication for Vault Enterprise 1.13+.
- Encrypted Vault client cache storage for improved performance and security.
Supported Vault authentication methods
Backend | Description |
---|---|
Kubernetes | Relies on short-lived Kubernetes ServiceAccount tokens for Vault authentication |
JWT | Relies on either static JWT tokens or short-lived Kubernetes ServiceAccount tokens for Vault authentication |
AppRole | Relies on static AppRole credentials for Vault authentication |
AWS | Relies on AWS credentials for Vault authentication |
GCP | Relies on GCP credentials for Vault authentication |
Vault access and custom resource definitions
VaultConnection
and VaultAuth
CRDs provide Vault connection and authentication configuration
information for the operator. Consider VaultConnection
and VaultAuth
as foundational resources
used by all secret replication type resources.
VaultConnection custom resource
Provides the required configuration details for connecting to a single Vault server instance.
VaultAuth custom resource
Provide the configuration necessary for the Operator to authenticate to a single Vault server instance as
specified in a VaultConnection
custom resource.
Vault secret custom resource definitions
Provide the configuration necessary for the Operator to replicate a single Vault Secret to a single Kubernetes Secret. Each supported CRD is specialized to a class of Vault secret, documented below.
VaultStaticSecret custom resource
Provides the configuration necessary for the Operator to synchronize a single Vault static Secret to a single Kubernetes Secret.
Supported secrets engines: kv-v2, kv-v1
KV version 1 secret example
The KV secrets engine's kvv1
mount path is specified under spec.mount
of VaultStaticSecret
custom resource. Please consult KV Secrets Engine - Version 1 - Setup for configuring KV secrets engine version 1. The following results in a request to http://127.0.0.1:8200/v1/kvv1/eng/apikey/google
to retrieve the secret.
KV version 2 secret example
Set the KV secrets engine (kvv2
) mount path with the spec.mount
parameter of
your VaultStaticSecret
custom resource. For more advanced KV secrets engine
version 2 configuration options, consult the
KV Secrets Engine - Version 2 - Setup
guide.
For example, to send requests to http://127.0.0.1:8200/v1/kvv2/eng/apikey/google
to retrieve secrets:
VaultPKISecret custom resource
Provides the configuration necessary for the Operator to synchronize a single Vault PKI Secret to a single Kubernetes Secret.
Supported secrets engines: pki
The PKI secrets engine's mount path is specified under spec.mount
of VaultPKISecret
custom resource. Please consult PKI Secrets Engine - Setup and Usage for configuring PKI secrets engine. The following results in a request to http://127.0.0.1:8200/v1/pki/issue/default
to generate TLS certificates.
VaultDynamicSecret custom resource
Provides the configuration necessary for the Operator to synchronize a single Vault dynamic Secret to a single Kubernetes Secret.
Supported secrets engines non-exhaustive: databases, aws,
azure, gcp, ...
Database secret example
Set the database secret engine mount path (db
) with the spec.mount
of your
VaultDynamicSecret
custom resource. For more advanced database secrets engine
configuration options, consult the
Database Secrets Engine - Setup guide.
For example, to send requests to
http://127.0.0.1:8200/v1/db/creds/my-postgresql-role
to generate a new
credential:
AWS secret example
Set the AWS secrets engine mount path (aws
) with the spec.mount
parameter of
your VaultDynamicSecret
custom resource. For more advanced AWS secrets engine
configuration options, consult the
AWS Secrets Engine - Setup guide.
For example, to send requests to http://127.0.0.1:8200/v1/aws/creds/my-iam-role
to generate a new IAM credential:
To send requests to http://127.0.0.1:8200/v1/aws/sts/my-sts-role
to generate a new STS credential:
HCP Vault Secrets Example
For more details on any of the custom resources mentioned here, please see the api-reference.
Vault client cache
The Vault Secrets Operator can optionally cache Vault client information such as Vault tokens and leases in Kubernetes Secrets within its own namespace. The client cache enables seamless upgrades because Vault tokens and dynamic secret leases can continue to be tracked and renewed through leadership changes. Client cache persistence and encryption is not enabled by default because it requires extra configuration and Vault Server setup. VSO supports encrypting the client cache using Vault Server's transit secrets engine.
The Encrypted client cache guide will walk you through the steps to enable and configure client cache encryption.
Tutorial
Refer to the Vault Secrets Operator on Kubernetes tutorial to learn the end-to-end workflow using the Vault Secrets Operator.