Managing secrets securely is a critical requirement in modern infrastructure, especially as applications become more distributed and cloud-native. HashiCorp Vault provides a robust, centralized solution for storing and accessing sensitive data such as API keys, tokens, and credentials, while offering encryption-as-a-service and granular access control.
This guide walks you through deploying Vault inside a Kubernetes cluster, a flexible setup suited for development, testing, and production-grade environments.
Prerequisites
Before we begin, ensure you have the following:
1. Kubernetes installed on the VM (e.g., via kubeadm or using k3s for a lightweight setup).
2. kubectl CLI is configured to interact with your cluster.
3. Helm package manager installed (we’ll cover this in Step 1).
Step 1: Install Helm (if not already installed)
Helm is the package manager for Kubernetes, simplifying the deployment of applications.
curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
Verify the installation:
helm version
Expected output:
version.BuildInfo{Version:"v3.12.0", ...} Step 2: Add the HashiCorp Helm Repository
HashiCorp provides a Helm repository for easy Vault deployment.
helm repo add hashicorp https://helm.releases.hashicorp.com
helm repo update
This ensures you have the latest Vault charts.
Step 3: Create a Namespace for Vault
Namespaces help isolate resources in Kubernetes.
kubectl create namespace vault
Step 4: Deploy Vault in Dev Mode (for Testing)
For quick testing, you can deploy Vault in development mode, which runs in-memory (not suitable for production).
helm install vault hashicorp/vault --namespace vault --set "server.dev.enabled=true"
Warning:
* This mode does not persist data.
* It uses a pre-configured root token (check logs with kubectl logs -n vault vault-0).
* Only for local testing, never in production.
Step 5: Deploy Vault in Production Mode
For a production-ready setup, we’ll use High Availability (HA) mode with integrated storage.
1. Create a vault-values.yaml file:
yaml
server:
ha:
enabled: true
replicas: 3 # Runs 3 Vault pods for HA
dataStorage:
enabled: true
size: 1Gi # Storage size for Vault data
storageClass: "default" # Ensure your cluster has a StorageClass
standalone:
enabled: false # Disable standalone mode
auditStorage:
enabled: true # Enable audit logs for security tracking
injector:
enabled: true # Allows automatic secret injection into pods
2. Install Vault with Helm:
helm install vault hashicorp/vault -n vault -f vault-values.yaml
3. Verify the deployment:
kubectl get pods -n vault
Expected output:
NAME READY STATUS RESTARTS AGE
vault-0 1/1 Running 0 2m
vault-agent-injector-5c7b8f6b6d-abc12 1/1 Running 0 2m
Step 6: Expose Vault UI via Ingress (Optional)
If you want to access the Vault Web UI externally, set up an Ingress Controller (e.g., NGINX).
1. Install NGINX Ingress (if not already present):
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm install ingress-nginx ingress-nginx/ingress-nginx --namespace ingress-nginx --create-namespace
2. Create an Ingress rule (vault-ingress.yaml):
yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: vault-ingress
namespace: vault
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
ingressClassName: nginx
rules:
- host: vault.yourdomain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: vault-ui
port:
number: 8200
tls:
- hosts:
- vault.yourdomain.com
secretName: vault-tls # Requires a TLS secret (use cert-manager or upload manually)
3. Apply the Ingress rule:
kubectl apply -f vault-ingress.yaml
Step 7: Initialize & Unseal Vault
Vault starts in a sealed state (data encrypted). You must initialize and unseal it.
Option 1: Access via Port-Forwarding (No Ingress)
kubectl port-forward svc/vault-ui 8200:8200 -n vault
Visit: http://localhost:8200
Option 2: Use CLI to Initialize
1. Initialize Vault (generates unseal keys & root token):
kubectl exec -n vault -it vault-0 -- vault operator init
Example output:
Unseal Key 1: abc123...
Unseal Key 2: def456...
Unseal Key 3: ghi789...
Initial Root Token: s.xyz...
Save these keys securely!
2. Unseal Vault (repeat for each key):
kubectl exec -n vault -it vault-0 -- vault operator unseal <Key1>
kubectl exec -n vault -it vault-0 -- vault operator unseal <Key2>
kubectl exec -n vault -it vault-0 -- vault operator unseal <Key3>
Your Vault is Ready Now!
Now that Vault is running, you can:
* Store secrets securely.
* Use Vault Agent to auto-inject secrets into pods.
* Integrate with apps like Odoo, databases, or CI/CD pipelines.
* Set up authentication methods (e.g., Kubernetes Auth, LDAP).
* Configure dynamic secrets for databases.
* Enable audit logging for compliance.
Deploying HashiCorp Vault on Kubernetes using Helm provides a secure and scalable way to manage secrets in your cluster. With high availability, optional auto-unseal, and Kubernetes authentication, Vault enables dynamic, centralized secret management for modern applications
To read more about Overview of HashiCorp Vault: A Beginner’s Guide to Secrets Management, refer to our blog Overview of HashiCorp Vault: A Beginner’s Guide to Secrets Management.