Run Production-Grade
Vault on Kubernetes

KubeVault is a Git-Ops ready, production-grade solution
for deploying and configuring Hashicorp's Vault on Kubernetes.

$ helm repo add appscode
$ helm repo update
$ helm install kubevault appscode/kubevault \
--version v2022.06.16 \
--namespace kubevault --create-namespace \
--set-file global.license=/path/to/the/license.txt

Special Features

KubeVault is a Git-Ops ready, production-grade solution for deploying and configuring Hashicorp's Vault on Kubernetes.

Vault Kubernetes Deployment

You can deploy TLS secured Vault Servers on Kubernetes using KubeVault. You can manage TLS with self-signed or cert-manager managed TLS. Running & managing Vault & it’s resources has never been easier.

Auto Initialization & Unsealing

KubeVault provides various ways to automatically initialize & unseal your Vault Servers. You can use your choice of cloud providers among GCP, AWS, Azure, etc. or even K8s secret to store unseal keys & vault token.

Consume Vault Secrets using Secrets Store CSI Driver

KubeVault works seamlessly with the Secrets Store CSI Driver. Consuming Vault secrets in K8s resources is way more simpler with the automation provided by KubeVault.

Manage DB Users Privileges

Managing DB user privileges is a complicated task which is made simple with KubeVault. KubeVault works seamlessly with KubeDB managed DBs. CRDs like SecretAccessRequest, SecretRoleBinding, etc. make grant, revoke, audit user privileges extremely convenient.

Storage Backend

KubeVault lets you choose your preferred way to store & persist Vault data. Each Storage Backend has its own pros and cons. GCS, AWS S3, Azure, Consul, Raft, Etcd, MySQL, Postgres, DynanoDB, etc. to name a few.

Authentication Method

You can authenticate to Vault using numerous ways using KubeVault. Each of them has their own use-cases. Kubernetes Service Account token, AWS IAM, Azure, Userpass, JWT/OIDC, etc. to name a few.

Database Secret Engine

PostgreSQL, MySQL, Elasticsearch & MongoDB database secret engine in Vault generates database credentials dynamically based on configured roles. Using Vault, you can configure Secret Engine, Create Role and issue dynamic credentials.

Azure Secret Engine

Azure Secrets Engine dynamically generates Azure service principals and role assignments. Vault roles can be mapped to one or more Azure roles, providing a simple way to manage the permissions granted to generated service principals.

AWS Secret Engine

AWS Secret Engine in Vault generates AWS access credentials dynamically based on IAM policies. Using Vault operator, you can configure AWS secret engine and issue AWS access credentials.

GCP Secret Engine

Google Cloud Vault secrets engine dynamically generates Google Cloud service account keys and OAuth tokens based on IAM policies. By using Vault user can easily configure vault GCP Secret Engine and make request to generate Google Cloud account keys and OAuth tokens based on IAM policies.

Kubectl Plugin

KubeVault CLI is a kubectl plugin that supports various handy features while using KubeVault. It automates numerous tedious tasks & provides simpler ways to interact with Vault. It’s possible to do CRUD operations on Vault unseal keys, root token stored in different clouds, generate SecretProviderClass, etc. with KubeVault CLI.

What They Are Talking About us

Trusted by top engineers at the most ambitious companies

Ready to Get Started?

Install KubeVault in your Kubernetes cluster