Vault Secrets Operator
The Vault Secrets Operator (VSO) allows Pods to consume Vault secrets and HCP Vault Secrets Apps natively from Kubernetes Secrets.
The Vault Secrets Operator operates by watching for changes to its supported set of Custom Resource Definitions (CRD). Each CRD provides the specification required to allow the operator to synchronize from one of the supported sources for secrets to a Kubernetes Secret. The operator writes the source secret data directly to the destination Kubernetes Secret, ensuring that any changes made to the source are replicated to the destination over its lifetime. In this way, an application only needs to have access to the destination secret in order to make use of the secret data contained within.
The following features are supported by the Vault Secrets Operator:
- Support for syncing from multiple secret sources.
- Automatic secret drift and remediation.
- Automatic secret rotation for
StatefulSetKubernetes resource types.
- Prometheus specific instrumentation for monitoring the Operator.
- Support for installing using:
see the installation docs for more details
The Vault Secrets Operator supports syncing from multiple secret sources. Refer to the secret sources overview for more details.
The following Kubernetes minor releases are currently supported. The latest version is tested against each Kubernetes version. It may work with other versions of Kubernetes, but those are not supported.
The Vault Secrets Operator has been tested successfully in the following hosted Kubernetes environments:
- Amazon Elastic Kubernetes Service (EKS)
- Google Kubernetes Engine (GKE)
- Microsoft Azure Kubernetes Service (AKS)
- Red Hat OpenShift
Basic integration tests are available in the project repository. Please report any issues here.
Refer to the Vault Secrets Operator on Kubernetes tutorial to learn the end-to-end workflow using the Vault Secrets Operator.