62 lines
3.6 KiB
Plaintext
62 lines
3.6 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Kubernetes
|
|
description: This section documents the official integration between Vault and Kubernetes.
|
|
---
|
|
|
|
# Kubernetes
|
|
|
|
Vault can be deployed into Kubernetes using the official HashiCorp Vault Helm chart.
|
|
The Helm chart allows users to deploy Vault in various configurations:
|
|
|
|
- Dev: a single in-memory Vault server for testing Vault
|
|
- Standalone (default): a single Vault server persisting to a volume using the file storage backend
|
|
- High-Availability (HA): a cluster of Vault servers that use an HA storage backend such as Consul (default)
|
|
- External: a Vault Agent Injector server that depends on an external Vault server
|
|
|
|
## Use Cases
|
|
|
|
**Running a Vault Service:** The Vault server cluster can run directly on Kubernetes.
|
|
This can be used by applications running within Kubernetes as well as external to
|
|
Kubernetes, as long as they can communicate to the server via the network.
|
|
|
|
**Accessing and Storing Secrets:** Applications using the Vault service running in
|
|
Kubernetes can access and store secrets from Vault using a number of different
|
|
[secret engines](/docs/secrets) and [authentication methods](/docs/auth).
|
|
|
|
**Running a Highly Available Vault Service:** By using pod affinities, highly available
|
|
backend storage (such as Consul) and [auto-unseal](/docs/concepts/seal#auto-unseal),
|
|
Vault can become a highly available service in Kubernetes.
|
|
|
|
**Encryption as a Service:** Applications using the Vault service running in Kubernetes
|
|
can leverage the [Transit secret engine](/docs/secrets/transit)
|
|
as "encryption as a service". This allows applications to offload encryption needs
|
|
to Vault before storing data at rest.
|
|
|
|
**Audit Logs for Vault:** Operators can choose to attach a persistent volume
|
|
to the Vault cluster which can be used to [store audit logs](/docs/audit).
|
|
|
|
**And more!** Vault can run directly on Kubernetes, so in addition to the
|
|
native integrations provided by Vault itself, any other tool built for
|
|
Kubernetes can choose to leverage Vault.
|
|
|
|
## Getting Started with Vault and Kubernetes
|
|
|
|
There are several ways to try Vault with Kubernetes in different environments.
|
|
|
|
### Guides
|
|
|
|
- [Vault Installation to Minikube via Helm](https://learn.hashicorp.com/tutorials/vault/kubernetes-minikube?in=vault/kubernetes) covers installing Vault locally using Minikube and the official Helm chart.
|
|
|
|
- [Vault Installation to Red Hat OpenShift via Helm](https://learn.hashicorp.com/tutorials/vault/kubernetes-openshift?in=vault/kubernetes) covers installing Vault using Helm on Red Hat's OpenShift platform.
|
|
|
|
- [Integrate a Kubernetes Cluster with an External Vault](https://learn.hashicorp.com/tutorials/vault/kubernetes-external-vault?in=vault/kubernetes) provides an example of making Vault accessible via a Kubernetes service and endpoint.
|
|
|
|
- [Vault on Kubernetes Deployment Guide](https://learn.hashicorp.com/tutorials/vault/kubernetes-raft-deployment-guide?in=vault/kubernetes) covers the steps required to install and configure a single HashiCorp Vault cluster as defined in the [Vault on Kubernetes Reference Architecture](https://learn.hashicorp.com/tutorials/vault/kubernetes-reference-architecture?in=vault/kubernetes).
|
|
|
|
### Documentation
|
|
|
|
- [Vault on Kubernetes Reference Architecture](https://learn.hashicorp.com/tutorials/vault/kubernetes-reference-architecture?in=vault/kubernetes) provides recommended practices for running Vault on Kubernetes in production.
|
|
|
|
- [Vault on Kubernetes Security Considerations](https://learn.hashicorp.com/tutorials/vault/kubernetes-security-concerns?in=vault/kubernetes) provides recommendations specific to securely running Vault in a production Kubernetes environment.
|