Tools for running HashiCorp <strong>Vault</strong> on <strong>Kubernetes</strong>
When a Vault server is started, it starts in a sealed state. In a sealed state, almost no operation is possible with a Vault server. So, you will need to unseal Vault. Vault operator provides automatic initialization and unsealing facility. When you deploy or scale up a Vault server, you don't have worry about unsealing new Vault pods. Vault operator will do it for you. Also, it provides a secure way to store unseal keys and root token.
Policies in Vault provide a declarative way to grant or forbid access to certain paths and operations in Vault. You can create, delete and update policy in Vault in a Kubernetes native way using Vault operator. Vault operator also provides a way to bind Vault policy with Kubernetes service accounts. ServiceAccounts will have the permissions that are specified in the policy.
AWS secret engine in Vault generates AWS access credentials dynamically based on IAM policies. This makes AWS IAM user management easier. Using Vault operator, you can configure AWS secret engine and issue AWS access credential via Vault. A User can request AWS credential and after it's been approved Vault operator will create a Kubernetes Secret containing the AWS credential and also creates RBAC Role and RoleBinding so that the user can access the secret.
The Azure secrets engine dynamically generates Azure service principals and role assignments. Vault roles can be mapped to one or more Azure roles, providing a simple, flexible way to manage the permissions granted to generated service principals. By using vault operator, one can easily configure vault azure secret engine and make request to generate service principals. Once the request is approved, the operator will get the credentials from vault and create kubernetes secret for storing those credentials. The operator also creates RBAC role and RoleBinding so that user can access the secret.
The Google Cloud Vault secrets engine dynamically generates Google Cloud service account keys and OAuth tokens based on IAM policies. This enables users to gain access to Google Cloud resources without needing to create or manage a dedicated service account. By using vault operator, one can easily configure vault gcp secret engine and make request to generate Google Cloud account keys and OAuth tokens based on IAM policies. Once the request is approved, the operator will get the credentials from vault and create kubernetes secret for storing those credentials. The operator also creates RBAC role and RoleBinding so that user can access the secret.
PostgreSQL, MySQL & MongoDB database secret engine in Vault generates MongoDB database credentials dynamically based on configured roles. Using Vault operator, you can configure secret engine, create role and issue credential from Vault. A User can request credential and after it's been approved Vault operator will create a Kubernetes Secret containing the credential and also creates RBAC Role and RoleBinding so that the user can access the Secret.
InterSystems was delighted to engage with AppsCode in the delicate, yet fundamental task of supporting durable, non-ephemeral workloads with Kubernetes. We needed the best-prepared, most-proficient database operator consulting in the industry. Given AppsCode's pedigree of database building operators, the decision was easy. No time was wasted and all objectives reached in an amazingly short period of time. I would recommend AppsCode consulting for any Kubernetes related work.
Product Manager at InterSystems
Voyager made it simple and efficient for us to protect and initiate our bare metal Kubernetes workload. Its underlying technology and extensive L4 support along with seamless SSL integration is what made us choose Voyager over others. Voyager team is also very responsive when it comes to support. Great product!
Solutions Architect at Elpheria
Voyager is the easiest way to use the fast and reliable HAProxy as our ingress controller. At PriceHubble, it is the corner-stone of our blue/green deployments.
DevOps Engineer at PriceHubble AG
I work with a few Kubernetes clusters and we use Voyager as our preferred ingress controller. We really like the ease of configuration. Documentation is pretty good. Also the use of HaProxy is important for us because it works really well with both L4 and L7 load balancing. One of our TCP services, Wayk Now, is able to withstand thousands of persistent connections very smoothly at the same time.
DevOPS Specialist at Devolutions.net
We really like using Voyager. Its straightforward and well-documented config and SSL (especially Let's Encrypt) has made our migration of services to Kubernetes a breeze. Each major version has been a very welcome update!
Senior Developer at BIRDI Pty Ltd
Install KubeVault in your Kubernetes cluster