Register a custom plugin to a production vault running in k8s


How do i register a custom secrets engine plugin to a production running vault running in k8s? I’m aware of vault register (plugin register - Command | Vault | HashiCorp Developer). My question is about: how do i provide my vault instance the binary and the checksum of my plugin?

Can this be done using an additional sidecar container to the vault pod containing my binary that makes the register or do i have to build my custom vault container image containing the plugin?

Are there any best practices? I think i’m not the first person who has this question.


I’m answering the question myself.

  1. I created a custom container image with my plugin copied into it

  2. I am using the vault-operator from bank-vaults to provision a vault instance (kind: Vault, apiVersion:

In the configuration yaml of my vault instance I’ve configured like this:

  • spec.image: my custom container image:tag
  • spec.config.plugin_directory: the location my custom vault image has my plugin installed
  • spec.config.disable_mlock: true to enable the plugin to allocate memory
  • spec.config.api_addr: to be `“https://”
  • spec.externalConfig.plugins: like described here Plugins · Banzai Cloud
  • spec.externalConfig.secrets: like described here Secrets engines · Banzai Cloud