vault-k8s VS sops-secrets-operator

Compare vault-k8s vs sops-secrets-operator and see what are their differences.

vault-k8s

First-class support for Vault and Kubernetes. (by hashicorp)
Suggest topics
Source Code
Suggest alternative
Edit details

sops-secrets-operator

Kubernetes SOPS secrets operator (by isindir)
Suggest topics
Source Code
Suggest alternative
Edit details
WorkOS
Our great sponsors
  • WorkOS - The modern identity platform for B2B SaaS
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • SaaSHub - Software Alternatives and Reviews
Our great sponsors
vault-k8s sops-secrets-operator
5 4
768 286
1.6% -
8.5 7.7
6 days ago 6 days ago
Go Go
Mozilla Public License 2.0 Mozilla Public License 2.0
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.

vault-k8s

Posts with mentions or reviews of vault-k8s. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2023-01-18.
  • How to expose the UI and API endpoint in HA TLS RAFT config
    1 project | /r/hashicorp | 8 Mar 2023
    enabled: true # Use the Vault K8s Image https://github.com/hashicorp/vault-k8s/ image: repository: "hashicorp/vault-k8s" tag: "latest" resources: requests: memory: 256Mi cpu: 250m limits: memory: 256Mi cpu: 250m server: # These Resource Limits are in line with node requirements in the # Vault Reference Architecture for a Small Cluster resources: requests: memory: 8Gi cpu: 2000m limits: memory: 16Gi cpu: 2000m # For HA configuration and because we need to manually init the vault, # we need to define custom readiness/liveness Probe settings readinessProbe: enabled: true path: "/v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204" livenessProbe: enabled: true path: "/v1/sys/health?standbyok=true" initialDelaySeconds: 60 # extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be # used to include variables required for auto-unseal. extraEnvironmentVars: VAULT_CACERT: /vault/userconfig/tls-ca/ca.crt # extraVolumes is a list of extra volumes to mount. These will be exposed # to Vault in the path \/vault/userconfig//`. extraVolumes: - type: secret name: tls-ca - type: secret name: tls-listener-1 - type: secret name: tls-server # This configures the Vault Statefulset to create a PVC for audit logs. # See https://www.vaultproject.io/docs/audit/index.html to know more auditStorage: enabled: true storageClass: solidfire-gold dataStorage: enabled: true storageClass: solidfire-gold standalone: enabled: false # Run Vault in "HA" mode. ha: enabled: true replicas: 3 raft: enabled: true setNodeId: true config: |          ui = true          listener "tcp" {            address = "0.0.0.0:8200"            cluster_address = "0.0.0.0:8201"            tls_cert_file = "/vault/userconfig/tls-listener-1/server.crt"            tls_key_file = "/vault/userconfig/tls-listener-1/server.key"            tls_client_ca_file = "/vault/userconfig/tls-ca/ca.crt"          }          storage "raft" {            path = "/vault/data"            retry_join {              leader_api_addr = "https://vault-0.vault-internal:8200"`               leader_ca_cert_file = "/vault/userconfig/tls-ca/ca.crt"               leader_client_cert_file = "/vault/userconfig/tls-server/server.crt"               leader_client_key_file = "/vault/userconfig/tls-server/server.key"             }             retry_join {               leader_api_addr = "https://vault-1.vault-internal:8200"               leader_ca_cert_file = "/vault/userconfig/tls-ca/ca.crt"               leader_client_cert_file = "/vault/userconfig/tls-server/server.crt"               leader_client_key_file = "/vault/userconfig/tls-server/server.key"             }             retry_join {               leader_api_addr = "https://vault-2.vault-internal:8200"               leader_ca_cert_file = "/vault/userconfig/tls-ca/ca.crt"               leader_client_cert_file = "/vault/userconfig/tls-server/server.crt"               leader_client_key_file = "/vault/userconfig/tls-server/server.key"             }             autopilot {               cleanup_dead_servers = "true"               last_contact_threshold = "200ms"               last_contact_failure_threshold = "10m"               max_trailing_logs = 250000               min_quorum = 3               server_stabilization_time = "10s"             }           }           service_registration "kubernetes" {} # Vault UI ui: enabled: true serviceType: "LoadBalancer" externalPort: 8443 loadBalancerIP: 10.193.124.70 loadBalancerSourceRanges: - 0.0.0.0/0
  • Raft heartbeat failures
    1 project | /r/hashicorp | 5 Mar 2023
    vault: global: enabled: true tlsDisable: false injector: enabled: true # Use the Vault K8s Image https://github.com/hashicorp/vault-k8s/ image: repository: "hashicorp/vault-k8s" tag: "latest" resources: requests: memory: 256Mi cpu: 250m limits: memory: 256Mi cpu: 250m server: # These Resource Limits are in line with node requirements in the # Vault Reference Architecture for a Small Cluster resources: requests: memory: 8Gi cpu: 2000m limits: memory: 16Gi cpu: 2000m # For HA configuration and because we need to manually init the vault, # we need to define custom readiness/liveness Probe settings readinessProbe: enabled: true path: "/v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204" livenessProbe: enabled: true path: "/v1/sys/health?standbyok=true" initialDelaySeconds: 60 # extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be # used to include variables required for auto-unseal. extraEnvironmentVars: VAULT_CACERT: /vault/userconfig/tls-ca/ca.crt # extraVolumes is a list of extra volumes to mount. These will be exposed # to Vault in the path \/vault/userconfig//`. extraVolumes: - type: secret name: tls-listener - type: secret name: tls-server - type: secret name: tls-ca # This configures the Vault Statefulset to create a PVC for audit logs. # See https://www.vaultproject.io/docs/audit/index.html to know more auditStorage: enabled: true storageClass: solidfire-gold dataStorage: enabled: true storageClass: solidfire-gold standalone: enabled: false # Run Vault in "HA" mode. ha: enabled: true replicas: 3 raft: enabled: true setNodeId: true config: |          ui = true          listener "tcp" {            address = "[::]:8200"            cluster_address = "[::]:8201"            tls_cert_file = "/vault/userconfig/tls-listener/server.crt"            tls_key_file = "/vault/userconfig/tls-listener/server.key"            tls_client_ca_file = "/vault/userconfig/tls-ca/ca.crt"          }          storage "raft" {            path = "/vault/data"            retry_join {              leader_api_addr = "https://vault-0.vault-internal:8200"`               leader_ca_cert_file = "/vault/userconfig/tls-ca/ca.crt"               leader_client_cert_file = "/vault/userconfig/tls-server/server.crt"               leader_client_key_file = "/vault/userconfig/tls-server/server.key"             }             retry_join {               leader_api_addr = "https://vault-1.vault-internal:8200"               leader_ca_cert_file = "/vault/userconfig/tls-ca/ca.crt"               leader_client_cert_file = "/vault/userconfig/tls-server/server.crt"               leader_client_key_file = "/vault/userconfig/tls-server/server.key"             }             retry_join {               leader_api_addr = "https://vault-2.vault-internal:8200"               leader_ca_cert_file = "/vault/userconfig/tls-ca/ca.crt"               leader_client_cert_file = "/vault/userconfig/tls-server/server.crt"               leader_client_key_file = "/vault/userconfig/tls-server/server.key"             }             autopilot {               cleanup_dead_servers = "true"               last_contact_threshold = "200ms"               last_contact_failure_threshold = "10m"               max_trailing_logs = 250000               min_quorum = 5               server_stabilization_time = "10s"             }           }           service_registration "kubernetes" {} # Vault UI ui: enabled: true serviceType: "LoadBalancer" serviceNodePort: null externalPort: 8200
  • GitOps and Kubernetes – Secure Handling of Secrets
    7 projects | dev.to | 18 Jan 2023
    Hashicorp Vault k8s is an operator that modifies pods via a mutating webhook to connect between vault and pod via sidecars (additional containers) to provide secrets. This has the major advantage that no secret objects are created in Kubernetes here. The disadvantage is that this way only works with Vault.
  • Practices to Retrieve Vault Credentials
    1 project | /r/devops | 30 Dec 2021
  • Solving ArgoCD Secret Management with the argocd-vault-plugin
    2 projects | /r/kubernetes | 6 Feb 2021
    They’ve made it so you can define the order that the vault sidecar starts in, so that the proxy will be running first. https://github.com/hashicorp/vault-k8s/issues/53

sops-secrets-operator

Posts with mentions or reviews of sops-secrets-operator. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2023-01-23.
  • Secret Management in Kubernetes: Approaches, Tools, and Best Practices
    8 projects | dev.to | 23 Jan 2023
    sops-secrets-operator (sops)
  • GitOps and Kubernetes – Secure Handling of Secrets
    7 projects | dev.to | 18 Jan 2023
    There is also a third-party sops-secrets operator available.
  • How to pass credentials to my app?
    3 projects | /r/GitOps | 5 Dec 2021
    I have configured sops-secret-controller too, I'll be using that to manage my secrets. But my problem is that I don't know beforehand the value.
  • Automation assistants: GitOps tools in comparison
    28 projects | dev.to | 12 Aug 2021
    SOPS that was developed by Mozilla offers significantly more options, though at the expense of a more complex configuration. Here, the key material can come from the key management systems (KMS) of the major cloud providers, from your own HashiCorp Vault, or from configured PGP keys. SOPS itself does not contain an operator, but there are different ways to use it with GitOps. Flux v2 offers native support. There is also the helm-secrets plug-in, which can also be used in ArgoCD with the manual configuration. There is also a sops-secrets operator that has been developed by a third party.

What are some alternatives?

When comparing vault-k8s and sops-secrets-operator you can also consider the following projects:

kubernetes-external-secrets - Integrate external secret management systems with Kubernetes

argocd-vault-plugin - An Argo CD plugin to retrieve secrets from Secret Management tools and inject them into Kubernetes secrets

argo-cd - Declarative Continuous Deployment for Kubernetes

sealed-secrets-web - A web interface for Sealed Secrets by Bitnami.

sealed-secrets - A Kubernetes controller and tool for one-way encrypted Secrets

fleet - Deploy workloads from Git to large fleets of Kubernetes clusters

terraform-k8s - Terraform Cloud Operator for Kubernetes

sops - Simple and flexible tool for managing secrets

cluster-api - Home for Cluster API, a subproject of sig-cluster-lifecycle

Flux - Successor: https://github.com/fluxcd/flux2

helm-secrets - A helm plugin that help manage secrets with Git workflow and store them anywhere

vault-k8s vs kubernetes-external-secrets sops-secrets-operator vs kubernetes-external-secrets vault-k8s vs argocd-vault-plugin sops-secrets-operator vs argo-cd vault-k8s vs sealed-secrets-web sops-secrets-operator vs sealed-secrets sops-secrets-operator vs fleet sops-secrets-operator vs terraform-k8s sops-secrets-operator vs sops sops-secrets-operator vs cluster-api sops-secrets-operator vs Flux sops-secrets-operator vs helm-secrets