The Vault DB Injector relies on the database engine from Vault to generate credentials, distribute them to Kubernetes applications and handle their lifecycle.
- Generate credentials through Vault Database Engine
- Distribute credentials to workload using annotations and Kubernetes mutating webhook
- Renew credentials when necessary
- Revoke credentials when application pod is deleted
Checkout the Vault DB Injector documentation for more informations.
Contributions to the vault-db-injector are welcome. Please submit your pull requests or issues to the project's GitLab repository.
Here you can find a comparison with many vault injector projects : Comparaison
The Vault DB Injector is fully compatible with OpenBao, a community-driven fork of HashiCorp Vault. Since OpenBao maintains API compatibility with Vault, you can seamlessly use this injector with your OpenBao installation without any code modifications.
All the Vault APIs used by this project work out of the box with OpenBao, including:
- Kubernetes authentication
- Database secrets engine
- Token management and renewal
- KV v2 secrets engine for metadata storage
- Lease management
To use the injector with OpenBao, simply point the vaultAddress configuration to your OpenBao instance and ensure your OpenBao setup includes the necessary authentication backends, database engine configuration, and policies that match your deployment requirements.
Special thanks to the contributors and maintainers of the project.