Can vault-k8s populate kube secrets object?

Hello Everyone,

I was very happy to see the newish vault-k8s project to render secrets to a shared volume so containers in a k8s pod can consume them without being Vault aware.

Is it possible to have vault-k8s inject secrets from Vault into a kube secrets object instead? Not sure why you chose to write to a shared volume instead of kube secrets?

In our case, we have a pre-deploy step that renders secrets out of Vault and injects them into kube manifest templates, including kube secrets objects that we then use with kubectl apply.

I was hoping to use vault-k8s to replace our pre-deploy template muckery but, it seems we would have to adjust our services to look for secrets in a shared volume instead of using k8s secrets. Do I have that right?


There were many alternatives before vault-k8s has been released, one is vaultingkube. As an alternative it is always possible to write something on your own, for example an init-container which will authenticate and then sync KVs into Secrets, or ConfigMap recursively.

Thanks for the reply Viacheslav! I also thought about somehow extending vault-k8s to sync the secrets from the shared volume to k8s secrets once vault-k8s did its part. I’ll take a look at vaultingkube. Thanks again.

Another option to look at is Vault Secrets Operator. We’re using that for exactly your use case (pull secrets from Vault and store them as Kubernetes secrets) and are happy with it.

1 Like