f3df55ad58
* Adding check-legacy-links-format workflow * Adding test-link-rewrites workflow * Updating docs-content-check-legacy-links-format hash * Migrating links to new format Co-authored-by: Kendall Strautman <kendallstrautman@gmail.com>
62 lines
3.4 KiB
Plaintext
62 lines
3.4 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Kubernetes
|
|
description: This section documents the official integration between Vault and Kubernetes.
|
|
---
|
|
|
|
# Kubernetes
|
|
|
|
Vault can be deployed into Kubernetes using the official HashiCorp Vault Helm chart.
|
|
The Helm chart allows users to deploy Vault in various configurations:
|
|
|
|
- Dev: a single in-memory Vault server for testing Vault
|
|
- Standalone (default): a single Vault server persisting to a volume using the file storage backend
|
|
- High-Availability (HA): a cluster of Vault servers that use an HA storage backend such as Consul (default)
|
|
- External: a Vault Agent Injector server that depends on an external Vault server
|
|
|
|
## Use Cases
|
|
|
|
**Running a Vault Service:** The Vault server cluster can run directly on Kubernetes.
|
|
This can be used by applications running within Kubernetes as well as external to
|
|
Kubernetes, as long as they can communicate to the server via the network.
|
|
|
|
**Accessing and Storing Secrets:** Applications using the Vault service running in
|
|
Kubernetes can access and store secrets from Vault using a number of different
|
|
[secret engines](/vault/docs/secrets) and [authentication methods](/vault/docs/auth).
|
|
|
|
**Running a Highly Available Vault Service:** By using pod affinities, highly available
|
|
backend storage (such as Consul) and [auto-unseal](/vault/docs/concepts/seal#auto-unseal),
|
|
Vault can become a highly available service in Kubernetes.
|
|
|
|
**Encryption as a Service:** Applications using the Vault service running in Kubernetes
|
|
can leverage the [Transit secret engine](/vault/docs/secrets/transit)
|
|
as "encryption as a service". This allows applications to offload encryption needs
|
|
to Vault before storing data at rest.
|
|
|
|
**Audit Logs for Vault:** Operators can choose to attach a persistent volume
|
|
to the Vault cluster which can be used to [store audit logs](/vault/docs/audit).
|
|
|
|
**And more!** Vault can run directly on Kubernetes, so in addition to the
|
|
native integrations provided by Vault itself, any other tool built for
|
|
Kubernetes can choose to leverage Vault.
|
|
|
|
## Getting Started with Vault and Kubernetes
|
|
|
|
There are several ways to try Vault with Kubernetes in different environments.
|
|
|
|
### Guides
|
|
|
|
- [Vault Installation to Minikube via Helm with Integrated Storage](/vault/tutorials/kubernetes/kubernetes-minikube-raft) covers installing Vault locally using Minikube and the official Helm chart.
|
|
|
|
- [Vault Installation to Red Hat OpenShift via Helm](/vault/tutorials/kubernetes/kubernetes-openshift) covers installing Vault using Helm on Red Hat's OpenShift platform.
|
|
|
|
- [Integrate a Kubernetes Cluster with an External Vault](/vault/tutorials/kubernetes/kubernetes-external-vault) provides an example of making Vault accessible via a Kubernetes service and endpoint.
|
|
|
|
- [Vault on Kubernetes Deployment Guide](/vault/tutorials/kubernetes/kubernetes-raft-deployment-guide) covers the steps required to install and configure a single HashiCorp Vault cluster as defined in the [Vault on Kubernetes Reference Architecture](/vault/tutorials/kubernetes/kubernetes-reference-architecture).
|
|
|
|
### Documentation
|
|
|
|
- [Vault on Kubernetes Reference Architecture](/vault/tutorials/kubernetes/kubernetes-reference-architecture) provides recommended practices for running Vault on Kubernetes in production.
|
|
|
|
- [Vault on Kubernetes Security Considerations](/vault/tutorials/kubernetes/kubernetes-security-concerns) provides recommendations specific to securely running Vault in a production Kubernetes environment.
|