projectsyn · simu · Apr 29, 2026 · Apr 27, 2026
diff --git a/class/defaults.yml b/class/defaults.yml
@@ -51,6 +51,10 @@ parameters:
         - kind: ServiceAccount
           name: lieutenant-api-user
       env: {}
+      vault:
+        enabled: ${lieutenant:operator:vault:enabled}
+        addr: ${lieutenant:operator:vault:addr}
+        login_method: oidc
 
     tenant_rbac: {}
 

diff --git a/component/api.jsonnet b/component/api.jsonnet
@@ -118,6 +118,11 @@ local user_sa_secrets =
   else
     [];
 
+local vault_env = if params.api.vault.enabled then {
+  VAULT_ADDR: params.api.vault.addr,
+  VAULT_LOGIN_METHOD: params.api.vault.login_method,
+} else {};
+
 
 local objects = [
   role,
@@ -150,7 +155,7 @@ local objects = [
                     STEWARD_IMAGE: steward_image,
                     LIEUTENANT_INSTANCE: params.api.lieutenant_instance,
                     DEFAULT_API_SECRET_REF_NAME: params.api.default_githost,
-                  } + params.api.env)
+                  } + vault_env + params.api.env)
                 ),
               }
             else

diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc
@@ -167,6 +167,32 @@ env:
 Additional environment that should be passed to the Lieutenant API.
 If a dict is given `valueFrom:` is assumed.
 
+== `api.vault.enabled`
+
+[horizontal]
+type:: bool
+default:: `${lieutenant:operator:vault:enabled}`
+
+Whether to enable the Lieutenant API Vault integration.
+If set to true, `api.vault.addr` and `api.vault.login_method` are included in the API discovery endpoint (`/`) as fields `vault.addr` and `vault.loginMethod`.
+Field `vault.loginMethod` is omitted from the response if component parameter `api.vault.login_method` is set to the empty string.
+
+== `api.vault.addr`
+
+[horizontal]
+type:: string
+default:: `${lieutenant:operator:vault:addr}`
+
+Address of the Vault instance.
+
+== `api.vault.login_method`
+
+[horizontal]
+type:: string
+default:: `oidc`
+
+Default login method for users for the Vault instance at `api.vault.addr`.
+Should be set to a value that's suitable for the Vault CLI `login` flag `-method`.
 
 == `api.ingress.host`
 

diff --git a/tests/golden/defaults/lieutenant/lieutenant/20_api/deployment-lieutenant-api.yaml b/tests/golden/defaults/lieutenant/lieutenant/20_api/deployment-lieutenant-api.yaml
@@ -36,6 +36,10 @@ spec:
               value: https://idp.test.com/
             - name: STEWARD_IMAGE
               value: docker.io/projectsyn/steward:v0.13.0
+            - name: VAULT_ADDR
+              value: vault.todo
+            - name: VAULT_LOGIN_METHOD
+              value: oidc
           image: docker.io/projectsyn/lieutenant-api:v0.13.0
           imagePullPolicy: Always
           livenessProbe:

diff --git a/tests/unit/api_test.go b/tests/unit/api_test.go
@@ -28,7 +28,7 @@ func Test_APIDeployment(t *testing.T) {
 	require.NotEmpty(t, deploy.Spec.Template.Spec.Containers)
 	assert.Len(t, deploy.Spec.Template.Spec.Containers, 1)
 	c := deploy.Spec.Template.Spec.Containers[0]
-	assert.Len(t, c.Env, 6)
+	assert.Len(t, c.Env, 8)
 
 	for _, env := range c.Env {
 		switch env.Name {