Security

This is part of the Vault + Kubernetes Integration Guide. Return to the main guide for the full architecture overview. The ArgoCD Vault Plugin (AVP) bridges the gap between GitOps and secrets management. It processes your Kubernetes manifests at sync time, replacing placeholder tokens with real values from Vault — so you never commit actual secrets to Git. The Problem AVP Solves WITHOUT AVP: ┌──────────┐ ┌─────────────┐ │ Git │ ❌ Real secrets │ Kubernetes │ │ │──────────────────►│ │ │ │ committed to Git │ │ └──────────┘ └─────────────┘ WITH AVP: ┌──────────┐ Placeholders ┌──────────┐ Resolved ┌─────────────┐ │ Git │──────────────►│ ArgoCD │──────────►│ Kubernetes │ │ <secret> │ │ + AVP │ │ (real vals) │ └──────────┘ └────┬─────┘ └─────────────┘ │ ┌────▼─────┐ │ Vault │ └──────────┘ Installation Method 1: InitContainer (Recommended) Patch the argocd-repo-server to download AVP at startup:...

This is part of the Vault + Kubernetes Integration Guide. Return to the main guide for the full architecture overview. The Vault Secrets Operator (VSO) is HashiCorp’s latest and most Kubernetes-native approach to secrets management. It uses Custom Resource Definitions (CRDs) to declaratively define what secrets to sync — making it a perfect fit for GitOps workflows. Why VSO Over Agent Injector? Feature Agent Injector VSO Architecture Sidecar per pod Single controller Resource overhead High (per-pod) Minimal (controller only) Configuration Annotations (imperative) CRDs (declarative) GitOps friendly ⚠️ Limited ✅ Fully declarative Auto rollout restart ❌ Manual ✅ Built-in Dynamic secrets ✅ Via sidecar ✅ Via operator reconciliation Secrets in etcd ❌ tmpfs only ✅ Synced to K8s Secret Installation helm repo add hashicorp https://helm....

This is part of the Vault + Kubernetes Integration Guide. Return to the main guide for the full architecture overview. The Vault CSI Provider uses the Kubernetes Secrets Store CSI Driver to mount Vault secrets directly as ephemeral volumes — no sidecar containers needed. How It Differs from Agent Injector Aspect Agent Injector CSI Provider Architecture Sidecar per pod DaemonSet per node Resource usage Higher (per-pod) Lower (per-node) Dynamic secrets ✅ Full renewal ❌ Static at mount Templating ✅ Advanced Go templates ❌ Raw key-value only Secret rotation ✅ Automatic ❌ Requires pod restart Best for: Workloads needing simple key-value secrets without dynamic renewal, and teams wanting lower resource overhead....

This is part of the Vault + Kubernetes Integration Guide. Return to the main guide for the full architecture overview. The Vault Agent Injector uses a Kubernetes mutating admission webhook to automatically inject a Vault Agent sidecar into your pods. The sidecar handles authentication, secret retrieval, templating, and token renewal — your application just reads files from a shared volume. Architecture ┌─────────────────────────────────────────────────────────────┐ │ Kubernetes Cluster │ │ │ │ ┌─ Pod ──────────────────────────────────────────────────┐ │ │ │ │ │ │ │ ┌──────────────┐ shared ┌──────────────────────┐ │ │ │ │ │ App │ tmpfs │ Vault Agent │ │ │ │ │ │ Container │◄─────────►│ Sidecar │ │ │ │ │ │ │ volume │ │ │ │ │ │ │ Reads from │ │ - Auto-auth │ │ │ │ │ │ /vault/ │ │ - Secret fetching │ │ │ │ │ │ secrets/ │ │ - Template rendering│ │ │ │ │ └──────────────┘ │ - Token renewal │ │ │ │ │ └──────────┬───────────┘ │ │ │ └─────────────────────────────────────────┼─────────────┘ │ │ │ │ │ ┌──────────────────┐ │ │ │ │ Injector │ Webhook │ Auth + Read │ │ │ Controller │ intercepts │ │ │ │ (Deployment) │ pod creation ▼ │ │ └──────────────────┘ ┌──────────────┐ │ │ │ Vault Server │ │ │ └──────────────┘ │ └─────────────────────────────────────────────────────────────┘ Installation The injector is installed alongside Vault via the Helm chart:...

This is part of the Vault + Kubernetes Integration Guide. Return to the main guide for the full architecture overview. AppRole is a machine-oriented auth method. Unlike Kubernetes Auth (which requires Vault to call the K8s TokenReview API), AppRole uses a RoleID + SecretID pair — making it ideal when Vault cannot reach the Kubernetes API server. When to Use AppRole Over Kubernetes Auth Scenario Use AppRole? Vault is external and cannot reach K8s API ✅ Yes CI/CD pipelines (Jenkins, GitLab CI, GitHub Actions) ✅ Yes Batch jobs or CronJobs needing Vault access ✅ Consider Cross-cloud authentication ✅ Yes Vault is in-cluster or can reach K8s API ❌ Use K8s Auth How AppRole Works ┌────────────────────────────────────────────────────────────┐ │ │ │ ┌────────────┐ ┌──────────────────┐ │ │ │ App Pod │ 1....

This is part of the Vault + Kubernetes Integration Guide. Return to the main guide for the full architecture overview. The Kubernetes Auth Method is the recommended way for pods to authenticate with Vault. It uses native Kubernetes Service Account tokens (JWTs), eliminating the need to distribute or rotate static credentials. But before jumping into commands, let’s understand what each component is, why it exists, and how they work together....

Managing secrets in Kubernetes is one of those challenges that every platform team eventually faces. Base64-encoded Kubernetes Secrets stored in etcd are not encryption — they’re encoding. If you’re running anything beyond a hobby cluster, you need a proper secrets management solution. This guide is your one-stop reference for HashiCorp Vault + Kubernetes. It covers the architecture, compares every integration method, and links to detailed implementation guides for each approach....