You are looking at the documentation of a prior release. To read the documentation of the latest release, please visit here.


Concepts help you learn about the different parts of KubeVault and the abstractions it uses.

  • What is KubeVault?
    • Overview. Provides an introduction to KubeVault operator, including the problems it solves and its use cases.
    • Operator architecture. Provides a high-level illustration of the architecture of the KubeVault operator.


Introduces a way to specify connection information, credential, and parameters that are necessary for communicating with an app or service.

Vault Server Version

Introduces the concept of VaultServerVersion to specify the docker images of HashiCorp Vault, Unsealer, and Exporter.

Vault Server

A VaultServer is a Kubernetes CustomResourceDefinition (CRD) which is used to deploy a HashiCorp Vault server on Kubernetes clusters in a Kubernetes native way. Introduces the concept of VaultServer for configuring a HashiCorp Vault server in a Kubernetes native way.

Vault Unsealer Options

When a Vault server is started, it starts in a sealed state. In this state, Vault is configured to know where and how to access the physical storage, but doesn’t know how to decrypt any of it.

Unsealing is the process of obtaining the plaintext root key necessary to read the decryption key to decrypt the data, allowing access to the Vault. Initializing & Unsealing Vault servers can be a tedious job. Introduces to various methods of automatically Initialization & Unsealing Vault Servers.

Vault Server Storage

The storage backend represents the location for the durable storage of Vault’s information. Each backend has pros, cons, advantages, and trade-offs. For example, some backends support High Availability - HA while others provide a more robust backup and restoration process. Introduces to various Storage Backend options supported by KubeVault.

Authentication Methods for Vault Server

Auth methods are the components in Vault that perform authentication and are responsible for assigning identity and a set of policies to a user. In all cases, Vault will enforce authentication as part of the request processing. In most cases, Vault will delegate the authentication administration and decision to the relevant configured external auth method (e.g., Amazon Web Services, GitHub, Google Cloud Platform, Kubernetes, Microsoft Azure, Okta, JWT/OIDC).

Having multiple auth methods enables you to use an auth method that makes the most sense for your use case of Vault and your organization. Introduces to various Authentication methods supported by KubeVault.

Secret Engine

SecretEngine is a Kubernetes Custom Resource Definition(CRD). It provides a way to enable and configure a Vault secret engine. Introduces to SecretEngine CRD, fields, & it’s various use cases.

Secret Engine Roles

In a Secret Engine, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the Secret Engine. Introduces to various roles supported by KubeVault.

Secret Access Request

A SecretAccessRequest is a Kubernetes CustomResourceDefinition (CRD) which allows a user to request a Vault server for credentials in a Kubernetes native way. A SecretAccessRequest can be created under various roleRef e.g: AWSRole, GCPRole, ElasticsearchRole, MongoDBRole, etc. Introduces to SecretAccessRequest CRD, fields & it’s various use cases.

Secret Role Binding

A SecretRoleBinding is a Kubernetes CustomResourceDefinition (CRD) which allows a user to bind a set of roles to a set of users. Using the SecretRoleBinding it’s possible to bind various roles e.g: AWSRole, GCPRole, ElasticsearchRole, MongoDBRole, etc. to Kubernetes ServiceAccounts.

Vault Policy

Everything in the Vault is path-based, and policies are no exception. Policies provide a declarative way to grant or forbid access to certain operations in Vault. Policies are deny by default, so an empty policy grants no permission in the system.

  • VaultPolicy: is used to create, update or delete Vault policies.
  • VaultPolicyBinding: is used to create Vault auth roles associated with an authentication type/entity and a set of Vault policies.