I wanted to share a new Kubernetes operator I’ve been developing: the Vault Restart Operator (GitHub repo link
). It’s designed to safely automate rolling restarts of Vault clusters (using the Raft integrated storage backend), following the best practices outlined in this HashiCorp guide on safely restarting Vault clusters in Kubernetes: How-to safely restart a Vault cluster running on Kubernetes
What it does:
Watches Secrets labeled with vault.operator/watch: true—for example, when TLS certificates change—and triggers a controlled rolling restart.
Ensures follower pods are restarted first, preserving quorum, and always restarts the active leader last to minimize downtime.
Offers helpful safety features like dry-run mode, health checks, and quorum protection—aligning with official recommendations like the 45-second delay between restarts.
This project is still very new and early in adoption—there are no published releases yet, and activity is just getting started. I’m looking for feedback, testing support, ideas, and contributions if anyone is interested.
Thanks for checking it out—would love to hear your thoughts or help improve it!
Plans are to extend the operator to perform restarts of the cluster for other events, not just secrets.