Secrets Management: Integrating HashiCorp Vault into Kubernetes

The Problem with Kubernetes Secrets

Kubernetes Secrets are merely Base64-encoded — anyone with access to the API server can read them in plain text. For sensitive data such as database passwords, API keys, and TLS certificates, you need more.

Why HashiCorp Vault?

• Encryption: Secrets are encrypted at rest and in transit — not just encoded.
• Dynamic Secrets: Vault can generate temporary database credentials on the fly — each pod receives its own credentials.
• Audit Log: Every access to a secret is logged — essential for compliance.
• Rotation: Automatic secret rotation without downtime or manual intervention.

Integration with Kubernetes

• Vault Agent Injector: A sidecar container that automatically injects secrets into the pod — no changes to application code required.
• CSI Driver: Mount Vault secrets as volumes — a native Kubernetes approach via the Secrets Store CSI Driver.
• External Secrets Operator: Synchronizes Vault secrets as native Kubernetes secrets — ideal for legacy applications.

Our Architecture

At devRocks, we use Vault with the CSI Driver. Vault runs as an HA cluster with Raft storage, authenticates pods via Kubernetes service accounts, and rotates database credentials automatically every 24 hours.