Installing and upgrading the Vault Secrets Operator

Prerequisites

A Kubernetes cluster running 1.23+
Helm 3.7+
[Optional] Kustomize 4.5.7+

Installation using Helm

Install Helm before beginning.

The Vault Secrets Operator Helm chart is the recommended way of installing and configuring the Vault Secrets Operator.

To install a new instance of the Vault Secrets Operator, first add the HashiCorp Helm repository and ensure you have access to the chart:

$ helm repo add hashicorp https://helm.releases.hashicorp.com
"hashicorp" has been added to your repositories

$ helm search repo hashicorp/vault-secrets-operator
NAME            CHART VERSION   APP VERSION DESCRIPTION
hashicorp/vault-secrets-operator    0.7.1           0.7.1       Official HashiCorp Vault Secrets Operator Chart

Then install the Operator:

$ helm install --version 0.7.1 --create-namespace --namespace vault-secrets-operator vault-secrets-operator hashicorp/vault-secrets-operator

Upgrading using Helm

You can upgrade an existing installation with the helm upgrade command. Please always run Helm with the --dry-run option before any install or upgrade to verify changes.

Update the hashicorp Helm repo:

$ helm repo update hashicorp
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "hashicorp" chart repository
Update Complete. ⎈Happy Helming!⎈

Helm does not automatically update CRDs

You must update all CRDs manually before upgrading VSO. Refer to Updating CRDs.

To upgrade your VSO release, replace <TARGET_VSO_VERSION> with the VSO version you are upgrading to:

$ helm show crds --version <TARGET_VSO_VERSION> hashicorp/vault-secrets-operator | kubectl apply -f -
$ helm upgrade --version <TARGET_VSO_VERSION> --namespace vault-secrets-operator vault-secrets-operator hashicorp/vault-secrets-operator

For example, if you are upgrading to VSO 0.7.1:

$ helm show crds --version 0.7.1 hashicorp/vault-secrets-operator | kubectl apply -f -
$ helm upgrade --version 0.7.1 --namespace vault-secrets-operator vault-secrets-operator hashicorp/vault-secrets-operator

Updating CRDs when using Helm

You must update the CRDs for VSO manually before you upgrade the operator when the operator is managed by Helm.

Any kubectl warnings related to last-applied-configuration should be safe to ignore.

To update the VSO CRDs, replace <TARGET_VSO_VERSION> with the VSO version you are upgrading to:

$ helm show crds --version <TARGET_VSO_VERSION> hashicorp/vault-secrets-operator | kubectl apply -f -

For example, if you are upgrading to VSO 0.7.1:

$ helm show crds --version 0.7.1 hashicorp/vault-secrets-operator | kubectl apply -f -

customresourcedefinition.apiextensions.k8s.io/hcpauths.secrets.hashicorp.com created
customresourcedefinition.apiextensions.k8s.io/hcpvaultsecretsapps.secrets.hashicorp.com created
Warning: resource customresourcedefinitions/vaultauths.secrets.hashicorp.com is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
customresourcedefinition.apiextensions.k8s.io/vaultauths.secrets.hashicorp.com configured
Warning: resource customresourcedefinitions/vaultconnections.secrets.hashicorp.com is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
customresourcedefinition.apiextensions.k8s.io/vaultconnections.secrets.hashicorp.com configured
Warning: resource customresourcedefinitions/vaultdynamicsecrets.secrets.hashicorp.com is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
customresourcedefinition.apiextensions.k8s.io/vaultdynamicsecrets.secrets.hashicorp.com configured
Warning: resource customresourcedefinitions/vaultpkisecrets.secrets.hashicorp.com is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
customresourcedefinition.apiextensions.k8s.io/vaultpkisecrets.secrets.hashicorp.com configured
Warning: resource customresourcedefinitions/vaultstaticsecrets.secrets.hashicorp.com is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
customresourcedefinition.apiextensions.k8s.io/vaultstaticsecrets.secrets.hashicorp.com configured

Chart values

Refer to the VSO Helm chart overview for a full list of supported chart values.

Installation using Kustomize

You can install and update your installation using kustomize which allows you to extend the config/ path of the VSO repository using Kustomize primitives.

To install using Kustomize, download and untar/unzip the latest release from the Releases Page.

$ wget -q https://github.com/hashicorp/vault-secrets-operator/archive/refs/tags/v0.7.1.tar.gz
$ tar -zxf v0.7.1.tar.gz
$ cd vault-secrets-operator-0.7.1/

Next install using kustomize build:

$ kustomize build config/default | kubectl apply -f -
namespace/vault-secrets-operator-system created
customresourcedefinition.apiextensions.k8s.io/hcpauths.secrets.hashicorp.com created
customresourcedefinition.apiextensions.k8s.io/hcpvaultsecretsapps.secrets.hashicorp.com created
customresourcedefinition.apiextensions.k8s.io/vaultauths.secrets.hashicorp.com created
customresourcedefinition.apiextensions.k8s.io/vaultconnections.secrets.hashicorp.com created
customresourcedefinition.apiextensions.k8s.io/vaultdynamicsecrets.secrets.hashicorp.com created
customresourcedefinition.apiextensions.k8s.io/vaultpkisecrets.secrets.hashicorp.com created
customresourcedefinition.apiextensions.k8s.io/vaultstaticsecrets.secrets.hashicorp.com created
serviceaccount/vault-secrets-operator-controller-manager created
role.rbac.authorization.k8s.io/vault-secrets-operator-leader-election-role created
clusterrole.rbac.authorization.k8s.io/vault-secrets-operator-manager-role created
clusterrole.rbac.authorization.k8s.io/vault-secrets-operator-metrics-reader created
clusterrole.rbac.authorization.k8s.io/vault-secrets-operator-proxy-role created
rolebinding.rbac.authorization.k8s.io/vault-secrets-operator-leader-election-rolebinding created
clusterrolebinding.rbac.authorization.k8s.io/vault-secrets-operator-manager-rolebinding created
clusterrolebinding.rbac.authorization.k8s.io/vault-secrets-operator-proxy-rolebinding created
configmap/vault-secrets-operator-manager-config created
service/vault-secrets-operator-controller-manager-metrics-service created
deployment.apps/vault-secrets-operator-controller-manager created

Confirm the operator has been installed by examining the pods:

$ kubectl get pods -n vault-secrets-operator-system
NAMESPACE                       NAME                                                         READY   STATUS    RESTARTS   AGE
vault-secrets-operator-system   vault-secrets-operator-controller-manager-56754d5496-cq69s   2/2     Running   0          1m17s

Kustomize does not support all features of the Helm chart

Notably it will not deploy default VaultAuthMethod, VaultConnection or Transit related resources. Kustomize also does not support pre-delete hooks that the Helm chart uses to cleanup resources and remove finalizers on the uninstall path. Please see config/samples or config/samples in the downloaded release artifacts for additional resources.

Upgrade using Kustomize

Upgrading using Kustomize is similar to installation: simply download the new release from github and follow the same steps as outlined in Installation using Kustomize. No additional steps are required to update the CRDs.