Pods, Tokens, and a Little Glue: Integrating Kubernetes and Vault on the Elastic DevOps Team

Elastic's Infrastructure team has developed a method for integrating Kubernetes with Hashicorp Vault to manage secrets securely while reducing operational burdens. The integration, aimed at simplifying the migration of applications to Kubernetes, involves connecting Kubernetes to Vault and exposing secrets to running applications using tools like kubernetes-vault and vaultenv. This setup ensures that sensitive data is centralized and securely communicated without being hardcoded into source code repositories. The process involves using periodic tokens and sidecar containers for token renewal, allowing applications to access secrets via environment variables with minimal modifications. The approach supports a cloud-agnostic architecture, enabling the team to run Kubernetes in various environments while maintaining secure access to Vault APIs. Despite the introduction of Hashicorp's native Kubernetes integration, the techniques discussed, including using vaultenv for non-native services, remain relevant for managing secrets in Kubernetes deployments.