Skip to content
A Vault swiss-army knife: A K8s operator. Go client with automatic token renewal, Kubernetes support, dynamic secrets, multiple unseal options and more. A CLI tool to init, unseal and configure Vault (auth methods, secret engines). Direct secret injection into Pods.
Branch: master
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
.circleci rename test phase and add formatting to helm command May 31, 2019
.github/ISSUE_TEMPLATE Update Jul 15, 2019
.idea Add go imports idea config to make the build happy Nov 21, 2018
cmd vault-env: unset VAULT_TOKEN in case of login only Jul 23, 2019
deploy specify global resourcequota everywhere Jun 18, 2019
docs webhook: remove limitation from doc Jun 21, 2019
hack add example with vaultPodSpec and vaultConfigurerSpec Jun 27, 2019
internal/configuration extract common configuration templating Jul 16, 2019
operator add transit unseal example with operator and webhook Jul 23, 2019
pkg Move the delete statement Jul 1, 2019
scripts remove generated code under license check Jan 18, 2019
.dockerignore dockerignore fix Jun 18, 2019
.editorconfig Fix indentations for *.yaml files and fix .editorconfig to work well … Jan 4, 2019
.gitignore update operator build instructions Jul 15, 2019
.golangci.yml Some generic project improvements Nov 21, 2018
.licensei.toml add back zap to licensei Jul 23, 2019 Create Feb 19, 2019
Dockerfile support vault.hcl (or json) templating Jul 16, 2019
Dockerfile.operator docker: bump alpine to 3.9 Apr 11, 2019
Dockerfile.vault-env docker: bump alpine to 3.9 Apr 11, 2019
Dockerfile.webhook docker: bump alpine to 3.9 Apr 11, 2019
LICENSE Initial commit Mar 7, 2018 Update Jun 19, 2019
Makefile Makefile targets and separate crd for dev shortcuts Jul 11, 2019 Make logo path portable [DockerHub fix] Jul 18, 2019
_config.yml Update _config.yml Apr 25, 2018
go.mod vault-env: added VAULT_TOKEN=vault:login method, remove zap Jul 23, 2019
go.sum operator sdk 0.9.0 - also slok webhook 0.3.0 Jul 15, 2019
ldap_example.ldif LDAP Auth support Jul 26, 2018 fix golangci user script for now Jun 13, 2019
tools.go Supporting nodeselectors, and tolerations (#427) Apr 17, 2019
vault-config.yml add aws secret engine example Jun 13, 2019

Docker Automated build Docker Pulls GoDoc CircleCI Go Report Card

Bank Vaults is a thick, tricky, shifty right with a fast and intense tube for experienced surfers only, located on Mentawai. Think heavy steel doors, secret unlocking combinations and burly guards with smack-down attitude. Watch out for clean-up sets.

Bank-Vaults is an umbrella project which provides various tools for Vault to make using and operating Hashicorp Vault easier. Its a wrapper for the official Vault client with automatic token renewal and built in Kubernetes support, dynamic database credential provider for Golang SQL based clients. It has a CLI tool to automatically initialize, unseal and configure Vault. It also provides a Kubernetes operator for provisioning, and a mutating webhook for injecting secrets.

Bank-Vaults is a core building block of the Banzai Cloud Pipeline platform. Some of the usage patterns are highlighted through these blog posts:

Securing Kubernetes deployments with Vault:

We use Vault across our large Kubernetes deployments and all the projects were reinventing the wheel. We have externalized all the codebase into this project and removed all the Pipeline and Hollowtrees dependencies thus this project can be used independently as a CLI tool to manage Vault, a Golang library to build upon (OAuth2 tokens, K8s auth, Vault operator, dynamic secrets, cloud credential storage, etc), Helm chart for a HA cluster, operator, mutating webhook and a collection of scripts to support some advanced features (dynamic SSH, etc).

We take bank-vaults' security and our users' trust very seriously. If you believe you have found a security issue in bank-vaults, please contact us at

Bank-Vaults is a core part of Banzai Cloud Pipeline, a Cloud Native application and devops platform that natively supports multi- and hybrid-cloud deployments. Check out the developer beta:


go get
go get

If compilation is failed, you should try to enable go modules:

GOPATH=/tmp/gopath-for-bank-vaults GO111MODULE=on go get
GOPATH=/tmp/gopath-for-bank-vaults GO111MODULE=on go get

Read more about usage of bank-vaults in detailed documentation


Kudos to HashiCorp for open sourcing Vault and making secret management easier and more secure.


If you have any questions about Bank-Vaults, and would like to talk to us and the other members of the Banzai Cloud community, please join our #bank-vaults channel on Slack.


Copyright (c) 2017-2019 Banzai Cloud, Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

You can’t perform that action at this time.