Skip to content

Commit

Permalink
backport of commit 2593412 (#19836)
Browse files Browse the repository at this point in the history
* backport of commit 2593412

---------

Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
  • Loading branch information
tvoran and benashz authored Mar 29, 2023
1 parent ebfff04 commit 12002fb
Show file tree
Hide file tree
Showing 11 changed files with 976 additions and 4 deletions.
2 changes: 1 addition & 1 deletion website/content/docs/platform/k8s/csi/index.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -148,4 +148,4 @@ the Secret Provider Class named `vault-db-creds`.
## Tutorial

Refer to the [Vault CSI Provider](/vault/tutorials/kubernetes/kubernetes-secret-store-driver)
tutorial to learn how to set up Vault and its depedencies with a Helm chart.
tutorial to learn how to set up Vault and its dependencies with a Helm chart.
6 changes: 3 additions & 3 deletions website/content/docs/platform/k8s/csi/installation.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ Then install the chart and enable the CSI feature by setting the
$ helm install vault hashicorp/vault --set="csi.enabled=true"
```

Upgrades may be performed with `helm upgrade` on an existing install. Please
Upgrades may be performed with `helm upgrade` on an existing installation. Please
always run Helm with `--dry-run` before any install or upgrade to verify
changes.

Expand Down Expand Up @@ -116,8 +116,8 @@ users:
EOF
```

Add the security context constraint for the applicaiton.
Add the security context constraint for the application.

```shell-session
$ kubectl apply -f application-scc.yaml
```
```
22 changes: 22 additions & 0 deletions website/content/docs/platform/k8s/index.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,28 @@ There are several ways to try Vault with Kubernetes in different environments.

- [Vault on Kubernetes Deployment Guide](/vault/tutorials/kubernetes/kubernetes-raft-deployment-guide) covers the steps required to install and configure a single HashiCorp Vault cluster as defined in the [Vault on Kubernetes Reference Architecture](/vault/tutorials/kubernetes/kubernetes-reference-architecture).

### High Level Comparison of Integrations

There are currently 3 different integrations to help Kubernetes workloads seamlessly consume secrets from Vault, without the need to modify the application to interact directly with Vault. Each integration addresses slightly different use-cases. The following is a brief overview of the strengths of each integration.

#### Agent Injector

- No durable secret storage outside Vault. All secrets written to disk are in ephemeral in-memory volumes.
- No highly privileged service accounts required. All secrets are fetched with the pod's own service account without the need for any other service accounts to impersonate it.
- More mature solution, with proven production record and advanced features like templating,
wider array of auth methods, etc.

#### Vault Secrets Operator (public beta)

- More native UX for app developers. Workloads can mount Kubernetes secrets without adding any Vault-specific configuration.
- Reduced load on Vault. Secrets are synced per CRD instead of per consuming pod.
- Better Vault secret availability. Kubernetes secrets act as a durable cluster-local cache of Vault secrets.

#### Vault CSI Provider

- The CSI driver that the provider is based on is vendor neutral.
- No durable secret storage outside Vault if the secret sync feature isn't used. All secrets written to disk are in ephemeral in-memory volumes.

### Documentation

- [Vault on Kubernetes Reference Architecture](/vault/tutorials/kubernetes/kubernetes-reference-architecture) provides recommended practices for running Vault on Kubernetes in production.
Expand Down
Loading

0 comments on commit 12002fb

Please sign in to comment.