»Installing the Agent Injector

The Vault Helm chart is the recommended way to install and configure the Agent Injector in Kubernetes.

To install a new instance of Vault and the Vault Agent Injector, first add the Hashicorp helm repository and ensure you have access to the chart:

$ helm repo add hashicorp https://helm.releases.hashicorp.com
"hashicorp" has been added to your repositories

$ helm search repo hashicorp/vault
NAME            CHART VERSION   APP VERSION DESCRIPTION
hashicorp/vault 0.10.0          1.7.0       Official HashiCorp Vault Chart

Then install the chart and enable the injection feature by setting the injector.enabled value to true:

helm install vault hashicorp/vault --set="injector.enabled=true"

Upgrades may be performed with helm upgrade on an existing install. Please always run Helm with --dry-run before any install or upgrade to verify changes.

You can see all the available values settings by running helm inspect values hashicorp/vault or by reading the Vault Helm Configuration Docs. Commonly used values in the Helm chart include limiting the namespaces the injector runs in, TLS options and more.

»TLS Options

Admission webhook controllers require TLS to run within Kubernetes. At this time the Vault Agent Injector supports two TLS options:

  • Auto TLS generation (default)
  • Manual TLS

»Auto TLS

By default, the Vault Agent Injector will bootstrap TLS by generating a certificate authority and creating a certificate/key to be used by the controller. If using Vault Helm, the chart will automatically create the necessary DNS entries for the controller's service used to verify the certificate.

»Manual TLS

If desired, users can supply their own TLS certificates, key and certificate authority. The following is required to configure TLS manually:

  • Server certificate/key
  • Base64 PEM encoded Certificate Authority bundle

For more information on configuring manual TLS, see the Vault Helm cert values.

»Multiple Replicas and TLS

The Vault Agent Injector can be run with multiple replicas if using Manual TLS, and as of v0.7.0 multiple replicas are also supported with Auto TLS. The number of replicas is controlled in the Vault Helm chart by the injector.replicas value.

With Auto TLS and multiple replicas, a leader-elector sidecar container is deployed with each replica. These sidecars determine which injector replica is the "leader" in charge of generating the CA and patching the webhook caBundle in Kubernetes, and also generating and distributing the certificate and key to the "followers". The followers read the certificate and key needed for the webhook service listener from a Kubernetes Secret, which is updated by the leader when a certificate is near expiration.

The leader-elector sidecar in use is described in detail here. For more information on configuring leader election, see the Vault Helm leaderElector values.

With Manual TLS and multiple replicas, injector.leaderElector.enabled should be set to false since leader-election is not necessary in this case.

If there is only one replica set (regardless of other TLS or leaderElector settings), no leader-elector containers will be deployed.

»Namespace Selector

By default, the Vault Agent Injector will process all namespaces in Kubernetes except the system namespaces kube-system and kube-public. To limit what namespaces the injector can work in a namespace selector can be defined to match labels attached to namespaces.

For more information on configuring namespace selection, see the Vault Helm namespaceSelector value.