vault-k8s VS kubernetes-external-secrets

Hashicorp Vault k8s is an operator that modifies pods via a mutating webhook to connect between vault and pod via sidecars (additional containers) to provide secrets. This has the major advantage that no secret objects are created in Kubernetes here. The disadvantage is that this way only works with Vault.

They’ve made it so you can define the order that the vault sidecar starts in, so that the proxy will be running first. https://github.com/hashicorp/vault-k8s/issues/53

$ helm repo add external-secrets https://external-secrets.github.io/kubernetes-external-secrets/ "external-secrets" has been added to your repositories $ helm install k8s-external-secrets external-secrets/kubernetes-external-secrets -f values.yaml NAME: k8s-external-secrets LAST DEPLOYED: Wed Mar 23 22:50:35 2022 NAMESPACE: default STATUS: deployed REVISION: 1 TEST SUITE: None NOTES: The kubernetes external secrets has been installed. Check its status by running: $ kubectl --namespace default get pods -l "app.kubernetes.io/name=kubernetes-external-secrets,app.kubernetes.io/instance=k8s-external-secrets" Visit https://github.com/external-secrets/kubernetes-external-secrets for instructions on how to use kubernetes external secrets

I’m reading above that you weren’t aware of sealed-secrets. So I guess that you are not familiar with ExternalSecrets secrets neither. Very solid project

They probably should merge with https://github.com/external-secrets/kubernetes-external-secr...

I do not recommend vault if you are not experienced. It is a heavy infra to manage. I suggest looking into https://github.com/external-secrets/kubernetes-external-secrets and selecting the tool offered by your cloud providers.

We don't keep anything sensitive inside of Helm charts. We use AWS Secrets Manager and external-secrets

We did a solution based on external secrets(https://github.com/external-secrets/kubernetes-external-secrets) and stakater reloader (https://github.com/stakater/Reloader)

Just FYI also, depending on which K8s Version you’re on you might run into this: https://github.com/external-secrets/kubernetes-external-secrets/issues/721