Debug School

Cover image for Vault Config Operator
Suyash Sambhare
Suyash Sambhare

Posted on

Vault Config Operator

Vault Config Operator 0.8.24 provided by Red Hat Community of Practice

This operator helps set up Vault Configurations. The main intent is to do so much that subsequently, pods can consume the secrets made available. There are two main principles through all of the capabilities of this operator:

  1. High-fidelity API. The CRD exposed by this operator reflects field by field the Vault APIs. This is because we don't want to make any assumptions about the kinds of configuration workflow that the user will set up. That being said the Vault API is very extensive and we are starting with enough API coverage to support, we think, some simple and very common configuration workflows.
  2. Attention to security. After all we are integrating with a security tool. To prevent credential leaks we give no permissions to the operator itself against Vault. All APIs exposed by this operator contain enough information to authenticate to Vault using a local service account (local to the namespace where the API exists). In other words, for a namespace user to be able to successfully configure Vault, a service account in that namespace must have been previously given the needed Vault permissions.

Currently, this operator supports the following CRDs:

  1. Policy Configures Vault Policies
  2. KubernetesAuthEngineRole Configures a Vault Kubernetes Authentication Role
  3. SecretEngineMount Configures a Mount point for a SecretEngine
  4. DatabaseSecretEngineConfig Configures a Database Secret Engine Connection
  5. DatabaseSecretEngineRole Configures a Database Secret Engine Role
  6. RandomSecret Creates a random secret in a vault kv Secret Engine with one password field generated using a PasswordPolicyvault-config-operator
Latest version


Capability level
  • Basic Install
  • Seamless Upgrades
  • Full Lifecycle
  • Deep Insights
  • Auto-Pilot



Red Hat Community of Practice

Infrastructure features



Container image


Best Effort


Provided APIs for Vault Config Operator are:

  1. Auth Engine Mount - AuthEngineMount is the Schema for the authenginemounts API
  2. Database Secret Engine Config - DatabaseSecretEngineConfig is the Schema for the databasesecretengineconfigs API
  3. Database Secret Engine Role - DatabaseSecretEngineRole is the Schema for the databasesecretengineroles API
  4. Database Secret Engine Static Role - DatabaseSecretEngineStaticRole is the Schema for the databasesecretenginestaticroles API
  5. Git Hub Secret Engine Config - GitHubSecretEngineConfig is the Schema for the githubsecretengineconfigs API
  6. Git Hub Secret Engine Role - GitHubSecretEngineRole is the Schema for the githubsecretengineroles API
  7. Group Alias - GroupAlias is the Schema for the groupalias API
  8. Group - Group is the Schema for the groups API
  9. JWTOIDCAuth Engine Config - JWTOIDCAuthEngineConfig is the Schema for the jwtoidcauthengineconfigs API
  10. JWTOIDCAuth Engine Role - JWTOIDCAuthEngineRole is the Schema for the jwtoidcauthengineroles API
  11. Kubernetes Auth Engine Config - KubernetesAuthEngineConfig is the Schema for the kubernetesauthengineconfigs API
  12. Kubernetes Auth Engine Role - KubernetesAuthEngineRole can be used to define a KubernetesAuthEngineRole for the kube-auth authentication method
  13. Kubernetes Secret Engine Config - KubernetesSecretEngineConfig is the Schema for the kubernetessecretengineconfigs API
  14. Kubernetes Secret Engine Role - KubernetesSecretEngineRole is the Schema for the kubernetessecretengineroles API
  15. LDAPAuth Engine Config - LDAPAuthEngineConfig is the Schema for the ldapauthengineconfigs API
  16. LDAPAuth Engine Group - LDAPAuthEngineGroup is the Schema for the ldapauthenginegroups API
  17. Password Policy - PasswordPolicy is the Schema for the passowordpolicies API
  18. PKISecret Engine Config - PKISecretEngineConfig is the Schema for the pkisecretengineconfigs API
  19. PKISecret Engine Role - PKISecretEngineRole is the Schema for the pkisecretengineroles API
  20. Policy - Policy is the Schema for the policies API
  21. Quay Secret Engine Config - QuaySecretEngineConfig is the Schema for the quaysecretengineconfigs API
  22. Quay Secret Engine Role - QuaySecretEngineRole is the Schema for the quaysecretengineroles API
  23. Quay Secret Engine Static Role - QuaySecretEngineStaticRole is the Schema for the quaysecretenginestaticroles API
  24. Rabbit MQSecret Engine Config - RabbitMQSecretEngineConfig is the Schema for the rabbitmqsecretengineconfigs API
  25. Rabbit MQSecret Engine Role - RabbitMQSecretEngineRole is the Schema for the rabbitmqsecretengineroles API
  26. Random Secret - RandomSecret is the Schema for the randomsecrets API
  27. Secret Engine Mount - SecretEngineMount is the Schema for the secretenginemounts API
  28. Vault Secret - VaultSecret is the Schema for the vaultsecrets API


Top comments (0)