Vault Secrets Operator in Kubernetes: Install, Configure & Sync

The Vault Secrets Operator (VSO) makes it easier than ever to bring HashiCorp Vault secrets into Kubernetes—securely, natively, and without adding Vault-specific logic to your workloads. Whether you’re running on a self-managed cluster, using a managed Kubernetes service, or operating in a multi-cloud environment, VSO provides a streamlined, GitOps-friendly way to keep your workloads supplied with the credentials, API keys, and certificates they need.

In this post, I’ll walk you through the full workflow:

  1. Installing the Vault Secrets Operator
  2. Configuring connectivity and authentication with Vault
  3. Syncing secrets from Vault into Kubernetes

Note: This content is from my HashiCorp Certified: Vault Associate (w/ Hands-On Labs). Make sure to check it out for additional content on HashiCorp Vault.

Step 1: Installing the Vault Secrets Operator

The easiest way to install VSO is with HashiCorp’s official Helm chart. This ensures a consistent, repeatable setup across all your environments.

VSO runs in its own namespace, which helps keep things clean and allows you to manage permissions independently from your workloads. The installation process looks like this:

  1. Add the HashiCorp Helm repository so Helm knows where to fetch the chart.
  2. Search for the chart to verify availability.
  3. Run the Helm install command to deploy the operator into its namespace.

Example command:

helm repo add hashicorp https://helm.releases.hashicorp.com
helm search repo hashicorp/vault-secrets-operator
helm install \
  --version 0.1.0 \
  --create-namespace \
  --namespace vault-secrets-operator \
  vault-secrets-operator hashicorp/vault-secrets-operator

Here’s a quick breakdown:

  • --version 0.1.0 pins to a known version so behavior stays consistent.
  • --create-namespace ensures the namespace exists.
  • The release name vault-secrets-operator is how Helm will track this install.
  • The chart name hashicorp/vault-secrets-operator points to the official source.
Terminal window displaying Helm commands for adding the HashiCorp repository, searching for the Vault Secrets Operator chart, and installing it with specific parameters for version and namespace.

Once installed:

  • Run kubectl get pods -n vault-secrets-operator to confirm the operator is running.
  • Check the CRDs with kubectl get crds | grep secrets.hashicorp.com to ensure VSO-specific resources like VaultAuth, VaultStaticSecret, and VaultDynamicSecret are registered.
Terminal window displaying Kubernetes commands for verifying the running status of the Vault Secrets Operator pod and confirming the installation of Custom Resource Definitions (CRDs) related to HashiCorp Vault.

Step 2: Configuring the Vault Secrets Operator

Like any Vault client, VSO needs two things:

  1. Where to find Vault (Vault address)
  2. How to authenticate (Auth method)

You’ll define this using Custom Resources (CRs) based on VSO’s Custom Resource Definitions (CRDs).

Vault Secrets Operator diagram illustrating connection to Kubernetes cluster, with elements including Vault address, authentication method, and role details for secure secret management.

VaultConnection CR

The VaultConnection CR tells VSO how to reach your Vault cluster—whether it’s in the same Kubernetes cluster, running externally, or hosted on HCP Vault. This CR includes:

  • Vault address (e.g., https://vault.example.com:8200)
  • TLS settings (never skip TLS in production!)
  • Optional custom CA configuration

You can create multiple VaultConnection CRs if you need to connect to different Vault clusters or environments.

YAML configuration for VaultConnection CR in Kubernetes, specifying API version, kind, metadata, and connection details for HashiCorp Vault.

VaultAuth CR

The VaultAuth CR defines how the operator should authenticate to Vault. Common methods include:

  • Kubernetes Auth Method (most popular when running in-cluster)
  • AppRole
  • Cloud-specific methods like AWS IAM or GCP Workload Identity
Kubernetes logo, JSON Web Token (JWT) icon, AppRole symbol, AWS logo, and Google Cloud Platform (GCP) icon on yellow background, representing authentication methods for Vault Secrets Operator in Kubernetes environments.

For Kubernetes auth, the operator will:

  • Send a service account token to the Vault Kubernetes auth mount.
  • Authenticate with a specific Vault role that has permissions to read required secrets.

The VaultAuth CR references the VaultConnection by name, linking the authentication method to the correct Vault cluster.

YAML configuration for VaultAuth resource in Kubernetes, highlighting authentication method and connection reference for Vault integration.

Step 3: Syncing Secrets from Vault into Kubernetes

With connectivity and authentication in place, it’s time to actually sync secrets.

VSO supports three main CR types for syncing:

  1. VaultStaticSecret – Syncs a manually managed static secret from the KV secrets engine (v1 or v2). Great for API keys or passwords that don’t change often.
  2. VaultDynamicSecret – Retrieves on-demand credentials from dynamic secrets engines like Database, AWS, GCP, etc., and refreshes them before expiration.
  3. VaultPKISecret – Generates and rotates TLS certificates using Vault’s PKI secrets engine, syncing them into Kubernetes as TLS secrets.

Each CR follows the same general pattern:

VaultStaticSecret, VaultDynamicSecret, VaultPKISecret definitions and descriptions for syncing secrets from HashiCorp Vault to Kubernetes, highlighting KVv1, KVv2, Database, AWS, GCP, and PKI engines.

Example: VaultStaticSecret

apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: myapp-config
spec:
  vaultAuthRef: vso-auth
  mount: kv
  path: secret/myapp/config
  type: kv-v2
  destination:
    name: myapp-config-secret
  refreshAfter: 1h
YAML configuration for VaultStaticSecret in Kubernetes, illustrating secret management with HashiCorp Vault.

Why This Approach Works So Well

Using the Vault Secrets Operator gives you:

  • Kubernetes-native secret management – No Vault-specific code in your workloads.
  • Declarative workflows – Perfect for GitOps with CRDs stored in Git.
  • Secure, automated rotation – Dynamic and PKI secrets stay fresh without manual intervention.
  • Scalability – Easily manage secrets across multiple applications and namespaces.

Whether you need a one-off static API key or fully automated certificate rotation, VSO brings Vault’s power right into your Kubernetes environment—securely and seamlessly.

Ready to Try It?

With these three steps—Install, Configure, and Sync—you can integrate HashiCorp Vault into Kubernetes using the Vault Secrets Operator in a way that’s clean, maintainable, and production-ready.

If you’re studying for the HashiCorp Certified: Vault Associate exam, this is also a topic worth knowing inside and out. And if you’re running Kubernetes in production, it’s worth testing VSO in a dev or staging cluster to see just how much it can simplify your secret management.

Note: Make sure to check out my course here, where I include links and coupons to ensure all my content is accessible to everyone.

Explore my latest courses

Bryan Krausen's cloud training course promotional image featuring AWS and HashiCorp tools with student testimonials.
Git Made Easy: A Crash Course for Beginners
Bryan Krausen's cloud training course promotional image featuring AWS and HashiCorp tools with student testimonials.
HashiCorp Terraform: The Ultimate Beginner’s Guide with Labs
Image of Bryan Krausen offering AWS and HashiCorp cloud training courses for skill enhancement and professional growth.
HashiCorp Certified: Terraform Associate Practice Exam 2025