vso

This is part of the Vault + Kubernetes Integration Guide. Return to the main guide for the full architecture overview. The Vault Secrets Operator (VSO) is HashiCorp’s latest and most Kubernetes-native approach to secrets management. It uses Custom Resource Definitions (CRDs) to declaratively define what secrets to sync — making it a perfect fit for GitOps workflows. Why VSO Over Agent Injector? Feature Agent Injector VSO Architecture Sidecar per pod Single controller Resource overhead High (per-pod) Minimal (controller only) Configuration Annotations (imperative) CRDs (declarative) GitOps friendly ⚠️ Limited ✅ Fully declarative Auto rollout restart ❌ Manual ✅ Built-in Dynamic secrets ✅ Via sidecar ✅ Via operator reconciliation Secrets in etcd ❌ tmpfs only ✅ Synced to K8s Secret Installation helm repo add hashicorp https://helm....