Vault secrets operator
The Vault Secrets Operator (VSO) allows Pods to consume Vault secrets natively from Kubernetes Secrets.
Overview
The Vault Secrets Operator operates by watching for changes to its supported set of Custom Resource Definitions (CRD). Each CRD provides the specification required to allow the Operator to synchronize a Vault Secrets to a Kubernetes Secret. The Operator writes the source Vault secret data directly to the destination Kubernetes Secret, ensuring that any changes made to the source are replicated to the destination over its lifetime. In this way, an application only needs to have access to the destination secret in order to make use of the secret data contained within.
Features
The following features are supported by the Vault Secrets Operator:
- All Vault secret engines supported.
- TLS/mTLS communications with Vault.
- Authentication to Vault with any of the following Auth Methods:
- Kubernetes
- JWT
- AppRole
- AWS
- Support for additional Auth Methods coming soon.
- Secret rotation for
Deployment
,ReplicaSet
,StatefulSet
Kubernetes resource types. - Prometheus instrumentation for monitoring the Operator
- Support for installing using:
Helm
orKustomize
see the installation docs for more details
Supported Vault versions
- Vault OSS 1.11+
- Vault Enterprise 1.11+
- HCP Vault
Supported kubernetes versions
The following Kubernetes minor releases are currently supported. The latest version is tested against each Kubernetes version. It may work with other versions of Kubernetes, but those are not supported.
- 1.26
- 1.25
- 1.24
- 1.23
- 1.22
Supported Cloud providers
The Vault Secrets Operator has been tested successfully in the following hosted Kubernetes environments:
- Amazon Elastic Kubernetes Service (EKS)
- Google Kubernetes Engine (GKE)
- Microsoft Azure Kubernetes Service (AKS)
- Red Hat OpenShift
Basic integration tests are available in the project repository. Please report any incompatibilities via a Github Issue.
Vault access and custom resource definitions
The Vault connection and authentication configuration is provided by the VaultConnection
and VaultAuth
CRDs. These can be considered as
foundational Custom Resources that all secret replication type resources will reference.
VaultConnection custom resource
Provides the configuration necessary for the Operator to connect to a single Vault server instance.
VaultAuth custom resource
Provide the configuration necessary for the Operator to authenticate to a single Vault server instance as
specified in a VaultConnection
Custom Resource.
Vault secret custom resource definitions
Provide the configuration necessary for the Operator to replicate a single Vault Secret to a single Kubernetes Secret. Each supported CRD is specialized to a class of Vault secret, documented below.
VaultStaticSecret custom resource
Provides the configuration necessary for the Operator to synchronize a single Vault static Secret to a single Kubernetes Secret.
Supported secrets engines: kv-v2, kv-v1
KV version 1 secret example
The KV secrets engine's kvv1
mount path is specified under spec.mount
of VaultStaticSecret
custom resource. Please consult KV Secrets Engine - Version 1 - Setup for configuring KV secrets engine version 1. The following results in a request to http://127.0.0.1:8200/v1/kvv1/eng/apikey/google
to retrieve the secret.
KV version 2 secret example
The KV secrets engine's kvv2
mount path is specified under spec.mount
of VaultStaticSecret
custom resource. Please consult KV Secrets Engine - Version 2 - Setup for configuring KV secrets engine version 2. The following results in a request to http://127.0.0.1:8200/v1/kvv2/data/eng/apikey/google?version=2
to retrieve the secret.
VaultPKISecret custom resource
Provides the configuration necessary for the Operator to synchronize a single Vault PKI Secret to a single Kubernetes Secret.
Supported secrets engines: pki
The PKI secrets engine's mount path is specified under spec.mount
of VaultPKISecret
custom resource. Please consult PKI Secrets Engine - Setup and Usage for configuring PKI secrets engine. The following results in a request to http://127.0.0.1:8200/v1/pki/issue/default
to generate TLS certificates.
VaultDynamicSecret custom resource
Provides the configuration necessary for the Operator to synchronize a single Vault dynamic Secret to a single Kubernetes Secret.
Supported secrets engines non-exhaustive: databases, aws,
azure, gcp, ...
Database secret example
The database secret engine's db
mount path is specified under spec.mount
of VaultDynamicSecret
custom resource. Please consult Database Secrets Engine - Setup for configuring the database secrets engine. The following results in a request to http://127.0.0.1:8200/v1/db/creds/my-postgresql-role
to generate a new credential.
AWS secret example
The AWS secrets engine's aws
mount path is specified under spec.mount
of VaultDynamicSecret
custom resource. Please consult AWS Secrets Engine - Setup for configuring AWS secrets engine.
The following results in a request to http://127.0.0.1:8200/v1/aws/creds/my-iam-role
to generate a new IAM credential.
The following results in a request to http://127.0.0.1:8200/v1/aws/sts/my-sts-role
to generate a new STS credential.
Tutorial
Refer to the The Vault Secrets Operator on Kubernetes tutorial to learn the end-to-end workflow using the Vault Secrets Operator.