// the find
ricoberger/vault-secrets-operator
Create Kubernetes secrets from Vault for a secure GitOps based workflow.
A Kubernetes operator that syncs secrets from HashiCorp Vault into native Kubernetes Secret objects, letting you commit VaultSecret CRs to git without committing actual credentials. It's for teams already running Vault who want a GitOps-friendly secret management story without going full ESO.
Supports seven Vault auth methods out of the box (token, Kubernetes, AppRole, userpass, AWS, Azure, GCP) — the Kubernetes auth method in particular is the right default and the setup instructions are thorough. The Go template system with Sprig functions and custom `{%`/`%}` delimiters is genuinely useful for constructing connection strings or reformatting secrets without a separate pipeline step. PKI engine support with automatic pre-expiry certificate renewal is a real feature that most similar tools skip. The Merge reconciliation strategy means you can layer Vault-sourced keys onto existing secrets without nuking manually-managed entries.
Still on `v1alpha1` after years of development — there's no path to stability documented, which is a yellow flag for production adoption. The CRD is cluster-scoped in behavior but namespace-aware only via `VAULT_RESTRICT_NAMESPACE`, making multi-tenant setups awkward; you're one misconfigured operator away from one team reading another team's secrets. No webhook validation means bad CRs fail silently at reconcile time rather than at apply time. This project has significant overlap with the official HashiCorp Vault Secrets Operator (released 2023) — HashiCorp's version has dynamic secrets, secret rotation, and an active enterprise support path; adopting ricoberger's version now means a likely migration later.