🔐 Vault-Kubernetes Integration Guide

Objective: Mount secrets into a Kubernetes Pod using HashiCorp Vault and Kubernetes Auth Method.

1. Prerequisites

Ensure the following components are available:

A running Kubernetes cluster
kubectl configured to access your cluster
Helm 3.x installed
Vault Helm chart access (https://helm.releases.hashicorp.com)

2. Setup Vault in Kubernetes

Step 2.1: Create Namespace

kubectl create namespace vault

Step 2.2: Add HashiCorp Helm Repository

helm repo add hashicorp https://helm.releases.hashicorp.com
helm repo update

Step 2.3: Deploy Vault in Dev Mode

Note: For production use, configure Vault in HA mode with proper storage backends and TLS.

helm install vault hashicorp/vault \
  --set="server.dev.enabled=true" \
  --set="ui.enabled=true" \
  --set="ui.serviceType=NodePort" \
  --namespace vault

3. Configure Vault for Kubernetes Auth

Step 3.1: Exec into Vault Pod

kubectl exec -it vault-0 -n vault -- /bin/sh

Step 3.2: Create Vault Policy (`read-policy.hcl`)

cat <<EOF > /home/vault/read-policy.hcl
path "secret/*" {
  capabilities = ["read"]
}
EOF

Step 3.3: Register the Policy

vault policy write read-policy /home/vault/read-policy.hcl

Step 3.4: Enable Kubernetes Auth Method

vault auth enable kubernetes

Step 3.5: Configure Kubernetes Auth Backend

vault write auth/kubernetes/config \
  token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
  kubernetes_host="https://${KUBERNETES_PORT_443_TCP_ADDR}:443" \
  kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt

4. Bind Policy to Kubernetes Service Account

Step 4.1: Create a Role in Vault

vault write auth/kubernetes/role/vault-role \
   bound_service_account_names=vault-serviceaccount \
   bound_service_account_namespaces=vault \
   policies=read-policy \
   ttl=1h

Note: Replace vault and vault-serviceaccount if using a different namespace or service account.

5. Inject a Secret into Vault

Step 5.1: Add a Key-Value Secret

vault kv put secret/clisecret token=secretcreatedbycli

Step 5.2: Verify Secret Creation

vault kv list secret/
vault kv get secret/clisecret

6. Kubernetes Pod Configuration for Secret Injection

Step 6.1: Create Service Account

apiVersion: v1
kind: ServiceAccount
metadata:
  name: vault-serviceaccount
  namespace: vault
  labels:
    app: read-vault-secret

Step 6.2: Deployment Manifest

apiVersion: apps/v1
kind: Deployment
metadata:
  name: vault-test
  namespace: vault
  labels:
    app: read-vault-secret
spec:
  replicas: 1
  selector:
    matchLabels:
      app: read-vault-secret
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-inject-status: "update"
        vault.hashicorp.com/agent-inject-secret-clisecret: "secret/clisecret"
        vault.hashicorp.com/agent-inject-template-clisecret: |
          {{- with secret "secret/clisecret" -}}
          pattoken={{ .Data.data.token }}
          {{- end }}
        vault.hashicorp.com/role: "vault-role"
      labels:
        app: read-vault-secret
    spec:
      serviceAccountName: vault-serviceaccount
      containers:
        - name: nginx
          image: nginx

7. Validate Secret Injection

kubectl get pods -n vault
kubectl exec -it <vault-test-pod-name> -n vault -- ls /vault/secrets/
kubectl exec -it <vault-test-pod-name> -n vault -- cat /vault/secrets/clisecret

The mounted file should display the secret in the defined template format.

8. Notes for Production Readiness

Do not use server.dev.enabled=true for production.
Use proper TLS, storage backend (e.g., Consul, AWS S3), and enable audit logging.
Rotate service account tokens and Vault policies periodically.
Monitor Vault Agent injector logs for troubleshooting.

Vaulthost Basic Cmd