Install and upgrade the Vault Secrets Operator
Prerequisites
- A Kubernetes cluster running 1.23+
- Helm 3.7+
- [Optional] Kustomize 4.5.7+
Installation using Helm
Install Helm before beginning.
The Helm chart is the recommended way of installing and configuring the Vault Secrets Operator.
To install a new instance of the Vault Secrets Operator, first add the HashiCorp Helm repository and ensure you have access to the chart:
Then install the Operator:
Updating CRDs when using Helm
Important
As of VSO 0.8.0, VSO will automatically update its CRDs. The manual upgrade step Updating CRDs below is no longer required before upgrading to VSO 0.8.0+.
Upgrading using Helm
You can upgrade an existing installation with the helm upgrade
command.
Please always run Helm with the --dry-run
option before any install or upgrade to verify
changes.
Update the hashicorp
Helm repo:
To upgrade your VSO release, replace <TARGET_VSO_VERSION>
with the VSO version you are upgrading to:
For example, if you are upgrading to VSO 0.9.1:
The VSO Helm chart will automatically upgrade the CRDs to match the VSO version being deployed. There should be no need to manually update the CRDs prior to upgrading VSO using Helm.
Chart values
Refer to the Helm chart overview for a full list of supported chart values.
Installation using Kustomize
You can install and update your installation using kustomize
which allows you to extend the config/
path of the VSO repository using Kustomize primitives.
To install using Kustomize, download and untar/unzip the latest release from the Releases Page.
Next install using kustomize build
:
Confirm the operator has been installed by examining the pods:
Kustomize does not support all features of the Helm chart
Notably it will not deploy default VaultAuthMethod, VaultConnection or Transit related resources.
Kustomize also does not support pre-delete hooks that the Helm chart uses to cleanup resources
and remove finalizers on the uninstall path. Please see config/samples
or config/samples
in the downloaded release artifacts for additional resources.
Upgrade using Kustomize
Upgrading using Kustomize is similar to installation: simply download the new release from github and follow the same steps as outlined in Installation using Kustomize. No additional steps are required to update the CRDs.
Legacy notes
The following notes provide guidance for installing/upgrading older versions of VSO.
Updating CRDs when using Helm prior to VSO 0.8.0
This step can be skipped if you are upgrading to VSO 0.8.0 or later.
Helm does not automatically update CRDs
You must update all CRDs manually before upgrading VSO to a version prior to 0.8.0.You must update the CRDs for VSO manually before you upgrade the operator when the operator is managed by Helm.
Any kubectl
warnings related to last-applied-configuration
should be safe to ignore.
To update the VSO CRDs, replace <TARGET_VSO_VERSION>
with the VSO version you are upgrading to:
For example, if you are upgrading to VSO 0.7.1: