A Vault swiss-army knife: A K8s operator. Go client with automatic token renewal, Kubernetes support, dynamic secrets, multiple unseal options and more. A CLI tool to init, unseal and configure Vault (auth methods, secret engines). Direct secret injection into Pods.

View the Project on GitHub banzaicloud/bank-vaults

Vault Operator

This directory holds the code of the Banzai Cloud Vault Operator.


cd operator
operator-sdk build banzaicloud/vault-operator

Regenerate the k8s code by the operator-sdk:

cd operator
ln -s ../vendor vendor
operator-sdk generate k8s

Deploying the operator

Some deployment samples can be found at the projects operator/deploy directory:

kubectl apply -f operator/deploy/rbac.yaml     # If you have an RBAC enabled cluster
kubectl apply -f operator/deploy/operator.yaml

This will create a Kubernetes CustomResourceDefinition called Vault (and a PersistentVolume for it). A documented example of this CRD can be found in operator/deploy/cr.yaml:

kubectl apply -f operator/deploy/cr.yaml

Delete Vault and the PersistentVolume:

kubectl delete -f operator/deploy/cr.yaml

HA setup with etcd

Additionally you have to deploy the etcd-operator to the cluster as well:

kubectl apply -f operator/deploy/etcd-rbac.yaml
kubectl apply -f operator/deploy/etcd-operator.yaml

Now deploy a HA vault which connects to an etcd storage backend:

kubectl apply -f operator/deploy/cr-etcd-ha.yaml

From now on, if you deploy a Vault CRD into the cluster which has an Etcd Storage Backend defined in its configuration the Vault operator will create an EtcdCluster CRD for the Vault instance, and the etcd-operator will orchestrate the etcd cluster. After the etcd cluster is ready the Vault instance can connect to it and will start up. If the Vault CRD is deleted from the cluster the etcd cluster will be GCd as well. You have to make sure you define backup and restore for the etcd cluster to prevent data loss, this part is not handled by the Vault operator, see this document for more details.

Use existing etcd

If you want to use an existing etcd. You can set etcdSize vault to < 0. Then it won’t create a new etcd. And all config under etcd storage will not be override.

Pod anti-affinity

If you want setup pod anti-affinity. You can set podAntiAffinity vault with a topologyKey value. For example, you can use to force K8S deploy vault on multi AZ.