Available with limitations in: BE, SE, SE+, EE, CSE Lite (1.73), CSE Pro (1.73)
The module lifecycle stage: General Availability
The module has requirements for installation
The stronghold module for Deckhouse Kubernetes Platform deploys Deckhouse Stronghold — a key-value secrets store compatible with the Hashicorp Vault API. Below is a short overview of product capabilities; detailed guidance on secrets engines and APIs is in the full documentation on the website.
Full documentation
Detailed administrator and user guides, API reference, and CLI documentation:
After the module is enabled and access is configured, use the User guide and Administrator guide sections.
Quick start
Usage — enabling and disabling the module, Ingress access, common startup errors, and working with keys.
Stronghold capabilities
Security model and access
- Policies, identity, tokens, and leases;
- Authentication methods including Kubernetes, OIDC, JWT, LDAP, token, userpass, approle, WebAuthn, and SAML — together with cluster Dex and external IdPs.
Secrets engines
- KV (v1 and v2), KV replication across clusters;
- PKI — dynamic X.509 certificates with GOST support;
- Transit — encryption as a service;
- SSH — signed SSH certificates;
- Cubbyhole, TOTP;
- Kubernetes — binding to service accounts and roles;
- LDAP, Identity (OIDC provider and identity tokens);
- Databases — issuing credentials for PostgreSQL, MySQL/MariaDB, ClickHouse, and others.
Operations and integrations
- Secrets delivery to applications — Stronghold Agent and integration with the
secrets-store-integrationmodule to inject secrets into pods; - Audit — logging and filtering configuration;
- Backups — snapshots overview, automated snapshots and API;
- Namespaces — isolating configuration and secrets;
- Plugins — in DKP, in this module repo: Plugins.