Vault Secrets Operator
The Vault Secrets Operator (VSO) allows Pods to consume Vault secrets and HCP Vault Secrets Apps natively from Kubernetes Secrets.
Overview
The Vault Secrets Operator operates by watching for changes to its supported set of Custom Resource Definitions (CRD). Each CRD provides the specification required to allow the operator to synchronize from one of the supported sources for secrets to a Kubernetes Secret. The operator writes the source secret data directly to the destination Kubernetes Secret, ensuring that any changes made to the source are replicated to the destination over its lifetime. In this way, an application only needs to have access to the destination secret in order to make use of the secret data contained within.
Features
The following features are supported by the Vault Secrets Operator:
- Support for syncing from multiple secret sources.
- Automatic secret drift and remediation.
- Automatic secret rotation for
Deployment
,ReplicaSet
,StatefulSet
Kubernetes resource types. - Prometheus specific instrumentation for monitoring the Operator.
- Support for installing using:
Helm
orKustomize
see the installation docs for more details - Support for secret data transformation.
Supported secret sources
The Vault Secrets Operator supports syncing from multiple secret sources. Refer to the secret sources overview for more details.
Supported kubernetes versions
The following Kubernetes minor releases are currently supported. The latest version is tested against each Kubernetes version. It may work with other versions of Kubernetes, but those are not supported.
- 1.28
- 1.27
- 1.26
- 1.25
- 1.24
Supported Kubernetes distributions
The Vault Secrets Operator has been tested successfully in the following hosted Kubernetes environments:
- Amazon Elastic Kubernetes Service (EKS)
- Google Kubernetes Engine (GKE)
- Microsoft Azure Kubernetes Service (AKS)
- Red Hat OpenShift
Basic integration tests are available in the project repository. Please report any issues here.
Threat model and security considerations
HashiCorp takes security seriously and strives to enable users to configure their systems with security and safety in mind. Please see the Vault Secrets Operator's Threat Model for highlights on how using the Vault Secrets Operator affects users' security posture and recommendations for running securely.
Tutorial
Refer to the Vault Secrets Operator on Kubernetes tutorial to learn the end-to-end workflow using the Vault Secrets Operator.