Vault Access Operator

A Kubernetes operator for managing HashiCorp Vault access policies and Kubernetes authentication roles declaratively through Custom Resource Definitions (CRDs).

Overview

The Vault Access Operator enables platform teams to manage Vault policies and Kubernetes authentication roles using native Kubernetes resources. It provides a GitOps-friendly approach to Vault access management, allowing teams to version control their Vault configurations alongside their application deployments.

Key Features

Access Management

• Declarative Vault Policy Management - Define Vault policies as Kubernetes resources
• Kubernetes Auth Role Management - Configure Vault Kubernetes authentication roles through CRDs
• Namespace Boundary Enforcement - Automatically restrict namespaced policies to their namespace scope
• Variable Substitution - Use {{namespace}} and {{name}} variables in policy paths

Authentication

• 8 Authentication Methods - Support for Kubernetes, JWT, OIDC, AWS IAM, GCP IAM, AppRole, Token, and Bootstrap
• Token Renewal Strategies - Choose between renew or re-authenticate strategies
• Automatic Token Management - Proactive token renewal before expiration

Operations

• Drift Detection - Detect and optionally correct configuration drift between K8s and Vault
• Resource Discovery - Find unmanaged Vault resources for adoption
• Conflict Detection and Handling - Choose between fail-fast or adopt strategies for existing resources
• Deletion Policies - Control whether Vault resources are retained or deleted when K8s resources are removed

Reliability

• Exponential Backoff Retry - Intelligent retry with jitter for transient failures
• Health Monitoring - Continuous health checks with automatic recovery
• Admission Webhooks - Validate resources before creation with detailed error messages

Quick Installation

Helm (Recommended)kubectl

helm install vault-access-operator \
  oci://ghcr.io/panteparak/vault-access-operator/charts/vault-access-operator \
  --namespace vault-access-operator-system \
  --create-namespace

kubectl apply -f https://raw.githubusercontent.com/panteparak/vault-access-operator/main/dist/install.yaml

For detailed installation instructions, see the Getting Started guide.

Custom Resource Definitions

The operator provides five CRDs for managing Vault access:

CRD	Scope	Description
VaultConnection	Cluster	Establishes connection to Vault server
VaultClusterPolicy	Cluster	Manages cluster-wide Vault policies
VaultPolicy	Namespaced	Manages namespace-scoped Vault policies
VaultClusterRole	Cluster	Manages cluster-wide Kubernetes auth roles
VaultRole	Namespaced	Manages namespace-scoped Kubernetes auth roles

Prerequisites

• Kubernetes cluster (v1.25+)
• HashiCorp Vault server
• cert-manager (for webhook certificates, optional)
• kubectl configured to access your cluster

Documentation

Getting Started

• Getting Started - Installation and quick start guide
• Examples - CRD usage examples

Concepts

• Concepts Overview - Core design principles and architecture
• Architecture - Internal structure and reconciliation flow
• Drift Detection - Detecting and correcting configuration drift
• Discovery - Finding unmanaged Vault resources

Authentication Methods

• Authentication Overview - Comparison and decision guide
• Kubernetes Auth - Standard K8s authentication
• AWS IAM - EKS with IRSA
• GCP IAM - GKE with Workload Identity
• OIDC - Workload identity federation
• JWT - External JWT providers
• AppRole - CI/CD pipelines
• Bootstrap - Initial Vault setup
• Token - Development only

Reference

• Configuration - Helm chart configuration options
• API Reference - Detailed CRD documentation
• Webhooks - Admission webhook documentation
• Troubleshooting - Common issues and solutions

Community

• GitHub Repository
• Issue Tracker

License

Copyright 2024-2026 Vault Access Operator Contributors.

Licensed under the Apache License, Version 2.0.