secrets-store-csi-driver VS vault-secrets-operator

I'm not a fan of this approach. I think the Secrets Store CSI Driver (https://secrets-store-csi-driver.sigs.k8s.io/) has a better approach.

Secret Store CSI Driver is what we're playing with now. Pretty excellent.

If you deploy on k8s, keep your eye on https://secrets-store-csi-driver.sigs.k8s.io/

Considering the major limitations of using Kubernetes Secrets, there are many new approaches being developed by the Kubernetes community. Kubernetes SIGs like the Secrets Store CSI Driver and solutions like the external secrets operator that works with third-party secret managers, and options to seal secrets through tools like bitnami’s sealed-secrets. To skip the tools and move directly to best practices, click here.

Just to clarify, CSI secret driver is from cncf not Microsoft. Only msft piece is the portion that integrates with key vault. https://secrets-store-csi-driver.sigs.k8s.io/

https://secrets-store-csi-driver.sigs.k8s.io/ and https://developer.hashicorp.com/vault/tutorials/kubernetes/kubernetes-secret-store-driver

The Secrets Store CSI Driver is a native upstream Kubernetes driver that can be used to abstract where the secret is stored from the workload. If you want to use a cloud provider's secret manager without exposing the secrets as Kubernetes Secret objects, you can use the CSI Driver to mount secrets as volumes in your pods. This is a great option if you use a cloud provider to host your Kubernetes cluster. The driver supports many cloud providers and can be used with different secret managers.

If you want security they are both bad, use something like the secret manager of your choice API directly in your app or https://secrets-store-csi-driver.sigs.k8s.io/ this will keep the actual secrets out of etcd and env vars and give you more security

For home use, I wouldn't bother with Vault unless that's really what you want to learn. Then it's worth looking into setting something up where you could use vault secrets, using one of the available options (I haven't seen the vault-secrets-operator being mentioned).

It is but it affects vault-secrets-operator too, see https://github.com/ricoberger/vault-secrets-operator/issues/104 (and no, I’ve only use vault-secrets-operator)

If you are using an external KMS in any case, then there are other options, such as the kubernetes-external-secrets operator that was originally started by GoDaddy and the externalsecret-operator from Container Solutions. If you use HashiCorp Vault, you also have the option of using the Vault Secrets operator. This works similarly to the Sealed Secrets Operator, but instead of managing its own key material, it retrieves the secrets from Vault. The CNCF Technology Radar from January 2021 provides an overview of the types of tools that are available for secrets management.