Forem: Ivan Tsanev The latest articles on Forem by Ivan Tsanev (@ivantsanev13). https://forem.com/ivantsanev13 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3863634%2F13b893da-a2d4-44f8-ab7d-09124371c3e1.jpeg Forem: Ivan Tsanev https://forem.com/ivantsanev13 en Running Vault in Kubernetes — Lessons from a Homelab Ivan Tsanev Mon, 06 Apr 2026 10:13:28 +0000 https://forem.com/ivantsanev13/running-vault-in-kubernetes-lessons-from-a-homelab-9m2 https://forem.com/ivantsanev13/running-vault-in-kubernetes-lessons-from-a-homelab-9m2 <p>This post is aimed at engineers running Vault on bare metal or self-hosted Kubernetes — managed cloud clusters handle some of this automatically, but on-prem you're on your own.</p> <h2> Running Vault in Kubernetes — Lessons from a Homelab </h2> <p>Most Vault + Kubernetes tutorials cover the basics: install Vault, store a secret, inject it into a pod. This post covers what comes after that — persistent storage, unsealing, and getting secrets into pods properly using External Secrets Operator.</p> <h2> Why Vault in the First Place </h2> <p>Kubernetes Secrets are not secret. They're base64 encoded — which is encoding, not encryption. Anyone with the right RBAC permissions can decode them in seconds. There's no audit trail, no rotation, no central management.</p> <p>Vault solves all of this. Secrets are encrypted at rest, every access is logged, and you can rotate credentials without touching your cluster.</p> <p>The problem is getting there.</p> <h2> Start with Persistent Storage </h2> <p>The natural starting point is dev mode:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">server</span><span class="pi">:</span> <span class="na">dev</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">devRootToken</span><span class="pi">:</span> <span class="s2">"</span><span class="s">root"</span> </code></pre> </div> <p>Dev mode is convenient — Vault starts pre-initialized and pre-unsealed. Good for experimenting.</p> <p>I started there too. Then a network routing issue caused my cluster to restart. I was troubleshooting Tailscale subnet routing — trying to reach cluster services from outside my home network — which left the routing table in a broken state and eventually took down the whole cluster. After bringing everything back up, ESO couldn't sync anything. The secrets were gone because dev mode stores everything in memory.</p> <p>That's when persistent storage became obvious. Vault is deployed via the official HashiCorp Helm chart. Use a proper storage class from the start — the following are the relevant Helm values:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">server</span><span class="pi">:</span> <span class="na">dev</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">dataStorage</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">size</span><span class="pi">:</span> <span class="s">1Gi</span> <span class="na">storageClass</span><span class="pi">:</span> <span class="s">longhorn</span> <span class="c1"># replace with your storage class</span> </code></pre> </div> <p>One thing to know: switching from dev mode to production mode isn't a config swap. Dev mode doesn't create a PVC, but you do need to delete the existing StatefulSet first — otherwise Helm will try to update it in place and hit an immutable fields error. Delete it, redeploy with the new config, then initialize fresh with <code>vault operator init</code>.</p> <h2> The Unseal Problem </h2> <p>Production Vault starts sealed after every restart. This is a security feature — if someone steals your disk, the data is useless without the unseal keys. But it also means every time your pod restarts, someone has to manually unseal it.</p> <p>The proper solution is auto-unseal via a cloud KMS (AWS KMS, Azure Key Vault, etc.). For a homelab, I built a simpler workaround — a Kubernetes CronJob that runs every minute and unseals Vault automatically.</p> <p>First, store your unseal keys in a K8s Secret. When you initialize Vault with <code>vault operator init</code>, it generates 5 unseal keys and requires any 3 of them to unseal. Store 3 of those keys here:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create secret generic vault-unseal-keys <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">key1</span><span class="o">=</span>&lt;UNSEAL_KEY_1&gt; <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">key2</span><span class="o">=</span>&lt;UNSEAL_KEY_2&gt; <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">key3</span><span class="o">=</span>&lt;UNSEAL_KEY_3&gt; <span class="se">\</span> <span class="nt">-n</span> vault </code></pre> </div> <p>Then deploy the CronJob. It runs every minute, reads the keys from that Secret as environment variables, and passes them to <code>vault operator unseal</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">batch/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">CronJob</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">vault-unsealer</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">vault</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">schedule</span><span class="pi">:</span> <span class="s2">"</span><span class="s">*</span><span class="nv"> </span><span class="s">*</span><span class="nv"> </span><span class="s">*</span><span class="nv"> </span><span class="s">*</span><span class="nv"> </span><span class="s">*"</span> <span class="na">jobTemplate</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">template</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">vault-unsealer</span> <span class="na">image</span><span class="pi">:</span> <span class="s">hashicorp/vault:1.18.1</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">/bin/sh</span> <span class="pi">-</span> <span class="s">-c</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">export VAULT_ADDR=http://vault.vault.svc:8200 # &lt;service-name&gt;.&lt;namespace&gt;.svc</span> <span class="s">vault operator unseal $KEY1</span> <span class="s">vault operator unseal $KEY2</span> <span class="s">vault operator unseal $KEY3</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KEY1</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">vault-unseal-keys</span> <span class="c1"># the Secret we created above</span> <span class="na">key</span><span class="pi">:</span> <span class="s">key1</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KEY2</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">vault-unseal-keys</span> <span class="na">key</span><span class="pi">:</span> <span class="s">key2</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KEY3</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">vault-unseal-keys</span> <span class="na">key</span><span class="pi">:</span> <span class="s">key3</span> <span class="na">restartPolicy</span><span class="pi">:</span> <span class="s">OnFailure</span> </code></pre> </div> <p>Worth noting: storing unseal keys in the same cluster as Vault is circular from a security standpoint — if someone compromises the cluster, they have both. For a homelab it's an acceptable trade-off. In production, use cloud KMS where the unseal key lives outside the cluster entirely.</p> <h2> External Secrets Operator </h2> <p>Vault stores your secrets. But your pods need Kubernetes Secrets. These are two different things and Vault alone doesn't bridge the gap.</p> <p>That's what External Secrets Operator (ESO) does. It watches for <code>ExternalSecret</code> resources in your cluster and automatically syncs secrets from Vault into native K8s Secrets.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Vault (source of truth) → ESO watches ExternalSecret resources → Creates/updates K8s Secrets automatically → Pod consumes K8s Secret as env var or volume mount </code></pre> </div> <p><strong>Step 1 — Tell ESO how to connect to Vault</strong></p> <p>A <code>ClusterSecretStore</code> is a cluster-wide resource that defines the connection to your secret backend — in this case Vault. Think of it as a named connection configuration that all your namespaces can reference.</p> <p>ESO needs a token to authenticate against Vault. You store that token in a regular K8s Secret first:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create secret generic vault-auth-token <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">token</span><span class="o">=</span>&lt;YOUR_VAULT_TOKEN&gt; <span class="se">\</span> <span class="nt">-n</span> default </code></pre> </div> <p>Then reference it in the <code>ClusterSecretStore</code>. The <code>tokenSecretRef</code> block points to that K8s Secret — <code>name</code> is the name of the secret, and <code>key</code> is the field inside it that holds the actual Vault token.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">external-secrets.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterSecretStore</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">vault-connection</span> <span class="c1"># referenced by ExternalSecrets later</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">provider</span><span class="pi">:</span> <span class="na">vault</span><span class="pi">:</span> <span class="na">server</span><span class="pi">:</span> <span class="s2">"</span><span class="s">http://vault.vault.svc:8200"</span> <span class="na">path</span><span class="pi">:</span> <span class="s2">"</span><span class="s">secret"</span> <span class="c1"># the KV engine mount name in Vault</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">v2"</span> <span class="na">auth</span><span class="pi">:</span> <span class="na">tokenSecretRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">vault-auth-token</span> <span class="c1"># K8s Secret that holds the Vault token</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">key</span><span class="pi">:</span> <span class="s">token</span> <span class="c1"># the field inside that Secret</span> </code></pre> </div> <p><strong>Step 2 — Store the secret in Vault</strong></p> <p>Before ESO can sync anything, the secret needs to exist in Vault. If the path doesn't exist yet, ESO will report a <code>SecretSyncedError</code> status on the ExternalSecret resource — easy to miss if you're not watching. Create the secret first (make sure <code>VAULT_ADDR</code> and <code>VAULT_TOKEN</code> are set in your shell):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">VAULT_ADDR</span><span class="o">=</span>http://&lt;vault-address&gt;:8200 <span class="nb">export </span><span class="nv">VAULT_TOKEN</span><span class="o">=</span>&lt;your-vault-token&gt; vault kv put secret/myproject/production/database <span class="nv">password</span><span class="o">=</span><span class="s2">"your-db-password"</span> <span class="c"># "secret" here is the KV engine mount name, not a literal — adjust if yours is named differently</span> </code></pre> </div> <p><strong>Step 3 — Define what to sync</strong></p> <p>An <code>ExternalSecret</code> tells ESO: fetch this specific secret from Vault and create a K8s Secret from it. It references the <code>ClusterSecretStore</code> you defined above.</p> <p>The <code>remoteRef.key</code> is the path to the secret in Vault. A common convention is to organize secrets by project and environment — <code>myproject/production/database</code>, <code>myproject/staging/database</code> — so different clusters or namespaces can point to the right environment just by changing the path.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">external-secrets.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ExternalSecret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">database-credentials</span> <span class="c1"># name of this ExternalSecret resource</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">production</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">refreshInterval</span><span class="pi">:</span> <span class="s">1h</span> <span class="c1"># how often ESO re-syncs from Vault</span> <span class="na">secretStoreRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">vault-connection</span> <span class="c1"># references the ClusterSecretStore above</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterSecretStore</span> <span class="na">target</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">database-credentials</span> <span class="c1"># name of the K8s Secret ESO will create</span> <span class="na">data</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">secretKey</span><span class="pi">:</span> <span class="s">db-password</span> <span class="c1"># key name in the resulting K8s Secret</span> <span class="na">remoteRef</span><span class="pi">:</span> <span class="na">key</span><span class="pi">:</span> <span class="s">myproject/production/database</span> <span class="na">property</span><span class="pi">:</span> <span class="s">password</span> <span class="c1"># the field inside that Vault secret</span> </code></pre> </div> <p>ESO creates a K8s Secret called <code>database-credentials</code> in the <code>production</code> namespace and keeps it in sync. Update the value in Vault, the K8s Secret updates automatically within the refresh interval — without touching the cluster.</p> <h2> Env Vars vs Volume Mounts </h2> <p>Once the K8s Secret exists, you have two ways to consume it in a pod.</p> <p><strong>Environment variables</strong> are set at container start time and never update. If the secret rotates, the pod needs a restart to see the new value.</p> <p><strong>Volume mounts</strong> update automatically. When the K8s Secret changes, the mounted file updates inside the pod within roughly 60-90 seconds (kubelet sync period). No restart needed — as long as the app re-reads the file each time it needs the value rather than caching it at startup.</p> <p>Here's what it looks like in a full Deployment spec:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-app</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">production</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">my-app</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">my-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-app</span> <span class="na">image</span><span class="pi">:</span> <span class="s">my-app:latest</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">credentials-vol</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/etc/secrets</span> <span class="c1"># files appear here inside the container</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">credentials-vol</span> <span class="na">secret</span><span class="pi">:</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">database-credentials</span> <span class="c1"># the K8s Secret ESO created</span> </code></pre> </div> <p>The file name inside the pod matches the <code>secretKey</code> field defined in the ExternalSecret — in this example <code>db-password</code>, so the app reads <code>/etc/secrets/db-password</code> as a plain file. For anything that rotates — database passwords, API keys — volume mounts are the right choice.</p> <h2> Summary </h2> <p>The full working stack: Vault with Longhorn persistent storage, auto-unseal CronJob, ESO syncing secrets to K8s, pods consuming via volume mounts.</p> <ul> <li>Don't use dev mode for anything you care about — persistent storage from the start saves a lot of pain</li> <li>Initialize Vault before deploying anything that depends on it — ESO will report sync errors if Vault isn't ready</li> <li>Use volume mounts over env vars for secrets that rotate, and make sure your app reads the file on each use rather than caching it</li> <li>Test your unseal story before you need it at an inconvenient time</li> </ul> kubernetes vault devops security