#vault (2020-09)

Has anyone tried using vault-k8s? It seems like an interesting Kubernetes-native way to inject secrets into pods, and access via the file system

https://github.com/hashicorp/vault-k8s

Good demo:

https://www.hashicorp.com/resources/injecting-vault-secrets-into-kubernetes-pods-via-a-sidecar/

The one thing that seems somewhat strange is the sidecar that injects secrets gets grouped in with the total number of running pods, which could be confusing - how many actual pods do I have running and how many are sidecars?

I’d be interested to hear if anybody has experience running vault-k8s in production?

Haven’t tried it yet, and while it’s an arguably more secure implementation using the sidecars, the kubernetes-external-secrets manager appeals more to me since it’s just populating kubernetes secrets originating from vault.

https://github.com/godaddy/kubernetes-external-secrets

it gets pretty annoying when you have one sidecar for your mesh, one for your secrets management, one for your forensics (twistlock), one for your logging, etc…

Gang, anyone here providing vault as a platform in a larger organization?

Firstly, they released some cool tf modules for deploying Vault (along with Consul and others) into AWS using their best practices (https://www.hashicorp.com/blog/announcing-new-hashicorp-terraform-modules-for-consul-nomad-and-vault). That’s pretty cool