Back to insights

Vault Agent Injector vs Secrets Operator: A Kubernetes comparison

Compare Vault Agent Injector and Vault Secrets Operator for Kubernetes. Learn why we chose Vault Agent for dynamic secrets in production.

This is part 5 of our HashiCorp Vault production series. With Vault running in our tooling cluster, we faced a crucial decision: how do we get those secrets into our application pods?

Series overview:

The 3 HashiCorp Vault Kubernetes integration options

HashiCorp provides three methods to get Vault secrets into Kubernetes:

Our specific requirements

Before choosing, we had to consider our setup:

The key requirement? Automatic lease renewal for dynamic secrets.

Comparing the methods

With our requirements clear, we decided to focus our comparison on the Vault Agent Injector & the Vault Secrets Operator. This is how the options compare:

Feature

Vault Agent Injector

Vault Secrets Operator

Secret deliverySidecar volumeKubernetes SecretDynamic secrets support✅ Yes❌ No (manual rotation)Lease management✅ Automatic❌ NoGitOps-compatibility⚠️ Limited (via annotations)✅ Full (via CRDs)Use of native K8s secrets❌ No✅ YesDependency on Vault at pod startup✅ Yes❌ NoBest applicationDynamic credentialsStatic configuration

Why We Chose HashiCorp Vault Agent Injector

The decision was straightforward once we looked at our dynamic database credentials requirement:

Since we already use External Secrets Operator for static secrets (perfect for GitOps), we didn’t need VSO’s CRD approach. Vault Agent handles our dynamic credentials beautifully.

The Trade-offs We Accepted

Choosing Vault Agent Injector meant accepting:

For dynamic database credentials with automatic renewal, these trade-offs were worth it. The automatic lease management alone prevents countless rotation-related incidents.

How HashiCorp Vault Agent Injector Works

Here’s the flow when using Vault Agent Injector:

The process is elegant:

Applications don’t need to know Vault exists – they just read files from a local path.

What’s Next?

With secrets flowing into our pods, how do we keep Vault itself secure? Our next post covers the internal NLB + VPN pattern for securing Vault access.

Continue reading: Kubernetes Vault Integration: Securing AWS Secrets with Internal NLB & VPN

Get the code: Our Vault configuration on GitHub

Explore our DevOps tools

View on GitHub

Kilian Niemegeerts

Related items

Security & Secrets

Dynamic PostgreSQL Credentials with HashiCorp Vault

read more

Engineering Culture

What does the perfect DevOps team look like?

read more

Cloud

Unlocking the Power of Application Modernisation: A DevOps Approach

read more