secrets-store-csi-driver-provider-gcp VS Vault

The driver can also sync changes to secrets. The driver currently supports Vault, AWS, Azure, and GCP providers. Secrets Store CSI Driver can also sync provider secrets as Kubernetes secrets; if required, this behavior needs to be explicitly enabled during installation.

GCP SS-CSI driver

That's interesting actually, Google provides their own rpvider for the Secrets Store CSI Driver: https://github.com/GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp

Consider: if you have a tool like terraform managing your infra components including your data layer, you likely want to manage those reaources in a different lifecycle from your application code. Applications may also likely managed using a different toolset (kubectl, helm, scaffold, etc.). In this case, secret Manager acts as the secure configuration bridge between the tools, keeping the secrets out of human hands. As certs and passwords are generated on the infra side, those values can be stored as secrets in SM. Application workloads - backed by service accounts having access to read the secret - can decrypt during launch and use the secret as needed. You can use common patterns in both GKE (via thesecrets store csi driver ) and Cloud Run for consuming secrets in this way.

I prefer https://github.com/GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp

HashiCorp Vault

For a more comprehensive and robust secret management solution, get your hands on tools like GCP Secret Manager, or HashiCorp Vault. They're like the security guards of your secrets, providing a safe house, access control, and keeping logs of who’s been snooping around.

HashiCorp Vault is a popular tool for managing secrets in Kubernetes clusters. It offers advanced features such as secure storage, encryption, dynamic secrets generation, and integration with Kubernetes through its Kubernetes authentication method.

So you've just bought a new platform tool? Maybe it's Hashicorp Vault? Snyk? Backstage? You’re excited about all of the developer experience, security and other benefits you're about to unleash on your company—right? But wait…

You seem to be looking for a cross-platform solution, and https://www.vaultproject.io/ provides just that. If everything was in AWS, AWS Secret Manager might be great, but imo Vault provides much better platform-agnostic capabilities.

https://github.com/openwrt/luci/blob/master/applications/luc...

https://developer.hashicorp.com/vault/tutorials/secrets-mana... https://github.com/hashicorp/vault :

> Refer to Build Certificate Authority (CA) in Vault with an offline Root for an example of using a root CA external to Vault.

Secret Management: Securely stores sensitive configuration data and secrets using tools like AWS Secrets Manager or HashiCorp Vault. Avoid hardcoding secrets in code or configuration files.

The author of this tool basically took the Shamir code from Hashicorp Vault, which is pretty mainstream. If you're looking for a solid implementation, I would start there[0]. I wouldn't use the Shamir code from this repo, as it's an old version of the vault code using field arithmetic that doesn't run in constant time.

[0]: https://github.com/hashicorp/vault/blob/main/shamir/shamir.g...

Out of curiosity, what do you mean by this? cross-cluster? they already have HA: https://github.com/hashicorp/vault/blob/v1.14.1/website/cont...

while digging up that link, I also saw one named replication: https://github.com/hashicorp/vault/blob/v1.14.1/website/cont...