KubeVault is a Kubernetes operator for HashiCorp Vault . The Vault is a tool for secrets management, encryption as a service, and privileged access management. The KubeVault operator makes it easy to deploy, maintain and manage Vault servers in Kubernetes. It also supports various secret engines’ management, policy management in the Kubernetes native way.
We are very excited to announce the release of KubeVault v2025.11.21 Edition.
You can find the complete commit by commit changelog here .
New Version Support
KubeVault now supports the latest OpenBao version 2.4.3. To deploy a VaultServer with the latest release, apply the following manifest.
apiVersion: kubevault.com/v1alpha2
kind: VaultServer
metadata:
name: vault
namespace: demo
spec:
replicas: 3
version: openbao-2.4.3
allowedSecretEngines:
namespaces:
from: All
backend:
raft:
storage:
storageClassName: "standard"
resources:
requests:
storage: 1Gi
unsealer:
secretShares: 5
secretThreshold: 3
mode:
kubernetesSecret:
secretName: vault-keys
terminationPolicy: WipeOut
After deployment:
- You can exec into the pod and use either the
vaultorbaoCLI. - All secret engines, auth methods, policies, tokens, and KubeVault workflows work as expected.
Bug Fixes and Performance Improvements
We have fixed an issue affecting Raft-backed Vault clusters where a leader node could become unresponsive to API calls. This “zombie leader” state prevented proper failover and could impact cluster availability. The operator now detects this condition more reliably to ensure smoother recovery and improved stability for Raft-based deployments.
What’s Next?
Please try the latest release and give us your valuable feedback.
- If you want to install KubeVault, please follow the installation instruction from here .
Support
To speak with us, please leave a message on our website .
To receive product announcements, follow us on Twitter .
If you have found a bug with KubeVault or want to request new features, please file an issue .