A Vault swiss-army knife: a K8s operator, Go client with automatic token renewal, automatic configuration, multiple unseal options and more. A CLI tool to init, unseal and configure Vault (auth methods, secret engines). Direct secret injection into Pods.

View the Project on GitHub banzaicloud/bank-vaults

Vault Operator

This directory holds the code of the Banzai Cloud Vault Operator.


go build ./operator/cmd/manager

If you wish to build the operator Docker image:

make docker-operator

Regenerate the k8s code by the operator-sdk:

cd operator
ln -s ../go.mod go.mod
operator-sdk generate k8s
rm go.mod go.sum

Deploying the operator

Quick start deployment

Some deployment **samples** can be found at the projects operator/deploy directory (we use these for testing):

kubectl apply -f operator/deploy/operator-rbac.yaml     # If you have an RBAC enabled cluster
kubectl apply -f operator/deploy/operator.yaml

This will create a Kubernetes CustomResourceDefinition called Vault (and a PersistentVolume for it). A documented example of this CRD can be found in operator/deploy/cr.yaml:

kubectl apply -f operator/deploy/rbac.yaml
kubectl apply -f operator/deploy/cr.yaml

Delete Vault and the PersistentVolume and RBAC:

kubectl delete -f operator/deploy/rbac.yaml
kubectl delete -f operator/deploy/cr.yaml

HA setup with etcd

Additionally you have to deploy the etcd-operator to the cluster as well:

kubectl apply -f operator/deploy/etcd-rbac.yaml
kubectl apply -f operator/deploy/etcd-operator.yaml

Now deploy a HA vault which connects to an etcd storage backend:

kubectl apply -f operator/deploy/cr-etcd-ha.yaml

From now on, if you deploy a Vault CRD into the cluster which has an Etcd Storage Backend defined in its configuration the Vault operator will create an EtcdCluster CRD for the Vault instance, and the etcd-operator will orchestrate the etcd cluster. After the etcd cluster is ready the Vault instance can connect to it and will start up. If the Vault CRD is deleted from the cluster the etcd cluster will be GCd as well. You have to make sure you define backup and restore for the etcd cluster to prevent data loss, this part is not handled by the Vault operator, see this document for more details.

Use existing etcd

If you want to use an existing etcd. You can set etcdSize vault to < 0 (e.g.: -1). Then it won’t create a new etcd. And all config under etcd storage will not be override.

Pod anti-affinity

If you want setup pod anti-affinity. You can set podAntiAffinity vault with a topologyKey value. For example, you can use to force K8S deploy vault on multi AZ.

Production deployment

The proper way for deploying the operator is currently to use the Helm chart or to create your own deployment manifests.