Vault
HashiCorp Vault is the central secrets store for the platform. It runs in HA mode with Raft integrated storage and feeds secrets to applications through the External Secrets Operator.
Deployment
Section titled “Deployment”| Field | Value |
|---|---|
| Flux path | flux-clusters/stefanzhelev/apps/vault |
| Base path | flux-apps/vault |
| Namespace | vault |
| Sync wave | 1 (foundational — deployed first) |
| Depends on | — |
What it deploys
Section titled “What it deploys”- HelmRelease for the HashiCorp Vault chart
>= 0.28.0 < 1.0.0 - An init Job that runs once on first boot to initialize Vault and write the unseal keys
- An unseal-check Job that monitors the cluster and surfaces sealed pods
- Traefik
Ingressexposing the UI
Configuration highlights
Section titled “Configuration highlights”| Component | Configuration |
|---|---|
| Replicas | 3 (StatefulSet) |
| Storage backend | Integrated Raft |
| Storage size | 1Gi per replica |
| Listener | TCP [::]:8200, TLS disabled (terminated at the ingress) |
| Cluster port | 8201 |
| UI | enabled |
| Injector | enabled |
| Ingress | Traefik to vault.internal.stefanzhelev.com (VPN-only via internalsecure entrypoint) |
| Resources | 250m CPU / 256Mi memory request, 500m / 512Mi limit |
Raft peers
Section titled “Raft peers”Each Vault pod auto-joins the cluster:
vault-0.vault-internal:8201vault-1.vault-internal:8201vault-2.vault-internal:8201
Secrets flow
Section titled “Secrets flow”Vault (source of truth) ↓External Secrets Operator (syncs secrets) ↓Kubernetes Secrets (consumed by apps)The External Secrets config (wave 2) waits on Vault before declaring its ClusterSecretStore. Apps in later waves then consume Vault material by declaring ExternalSecret objects in their own namespaces.
Integrations
Section titled “Integrations”- External Secrets: the bridge that turns Vault material into Kubernetes Secrets
- Tofu Controller: writes credentials and policies into Vault from Terraform CRs
Key commands
Section titled “Key commands”# Check Vault statuskubectl exec -n vault vault-0 -- vault status
# View raft peerskubectl exec -n vault vault-0 -- vault operator raft list-peers
# Unseal Vault (if sealed)kubectl exec -n vault vault-0 -- vault operator unseal <key>
# Login to Vaultkubectl exec -n vault vault-0 -- vault login
# List secret engineskubectl exec -n vault vault-0 -- vault secrets list
# Read a secretkubectl exec -n vault vault-0 -- vault kv get <path>
# Port-forward the UIkubectl port-forward -n vault svc/vault 8200:8200