Running Vault with Kubernetes

Running Vault with Kubernetes can be done differently based on the environments and needs, whether you’re running Vault side-by-side or within Kubernetes. The goal is to provide a variety of options around how to leverage Vault and Kubernetes to securely introduce secrets into applications and infrastructure.
Explore HashiCorp LearnExplore Documentation

Learn how to integrate Vault and Kubernetes

Vault on Kubernetes Reference Architecture

This document outlines a reference architecture for deployment of HashiCorp Vault in the context of the Kubernetes cluster scheduler.

Link to Guide

Integrate a Kubernetes Cluster with an External Vault

In this guide, you will run Vault locally, start a Kubernetes cluster with Minikube, deploy an application that retrieves secrets from this Vault, and configure an injector only deployment to inject secrets into the pods from this Vault.

Link to Guide

Injecting Secrets into Kubernetes Pods via Vault Helm Sidecar

In this guide, you setup Vault and this injector service with the Vault Helm chart. Then deploy several applications to demonstrate how this new injector service retrieves and writes these secrets for the applications use.

Link to Guide

Vault on Kubernetes Security Considerations

This guide highlights where extra precaution is needed when you deploy Vault on Kubernetes in production.

Link to Guide

Vault Installation to Minikube via Helm

In this guide, you will setup Vault and its dependencies with a Helm chart. Then integrate a web application that uses the Kubernetes service account token to authenticate with Vault and retrieve a secret.

Link to Guide

Mount Vault Secrets through Container Storage Interface (CSI) Volume

This document outlines a reference architecture for deployment of HashiCorp Vault in the context of the Kubernetes cluster scheduler.

Link to Guide

Documentation

Platform

Vault can be deployed into Kubernetes using the official HashiCorp Vault Helm chart. The helm chart allows users to deploy Vault in various configurations

Link to Docs

Auth Method

The kubernetes auth method can be used to authenticate with Vault using a Kubernetes Service Account Token. This method of authentication makes it easy to introduce a Vault token into a Kubernetes Pod.

Link to Docs

Examples

The following are different configuration examples to support a variety of deployment models.

Link to Docs

Agent Sidecar

Overview

The Vault Agent Injector alters pod specifications to include Vault Agent containers that render Vault secrets to a shared memory volume using Vault Agent Templates.

Link to Docs

Installation

The following are the different methods of installing the Agent Injector in Kubernetes.

Link to Docs

Annotations

The following are the available annotations for the injector.

Link to Docs

Examples

Standalone Server with Load Balanced UI

Learn More

Standalone Server with TLS

Learn More

Standalone Server with Audit Storage

Learn More

Highly Available Vault Cluster with Consul

Learn More

Using Kubernetes Auth Method

Learn More

When to consider Vault Enterprise?

Open Source

Technical Complexity

Vault Open Source addresses the technical complexity of managing secrets by leveraging trusted identities across distributed infrastructure and clouds.

View Open Source Features
Enterprise

Organizational Complexity

Vault Enterprise addresses the organizational complexity of large user bases and compliance requirements with collaboration and governance features.

View Enterprise Features

Ready to get started?

Secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API.

Explore HashiCorp Learn
Explore Documentation

Related Resources