|
| 1 | +--- |
| 2 | +title: "Hashicorp Vault as Secret Management" |
| 3 | +date: "2025-04-14" |
| 4 | +--- |
| 5 | + |
| 6 | + |
| 7 | +| status: | date: | decision-makers: | |
| 8 | +| --- | --- | --- | |
| 9 | +| proposed | 2025-04-14 | Kasper Møller | |
| 10 | + |
| 11 | +## Context and Problem Statement |
| 12 | + |
| 13 | +Managing secrets in Kubernetes is a critical aspect of ensuring the security of sensitive data such as API keys, passwords, and certificates. Kubernetes Secrets, while convenient, store data in plaintext by default, which poses a security risk. To increase security of the sensitive data at rest, encryption is necessary. |
| 14 | + |
| 15 | +To mitigate this risk, a robust secret management solution is required. This solution should provide strong encryption, easy integration with Kubernetes, and support for secret rotation. Additionally, it should be easy to use and manage, allowing teams to focus on their applications rather than the underlying infrastructure. |
| 16 | + |
| 17 | +### Do i need it |
| 18 | + |
| 19 | +If it is possible to use a cloud-provided security management tool (e.g., AWS KMS, Azure Key Vault, or GCP KMS), it is recommended to use those tools for secret management. These tools are designed to handle sensitive data securely and provide built-in features for encryption, access control, and auditing. however it is recommended to utilize **External Secrets Operator** to manage the secrets in Kubernetes. This operator allows you to synchronize secrets from external secret management systems into Kubernetes secrets, making it easier to change the secret management solution without changing the way secrets are accessed in your applications to avoid vendor lock-in. |
| 20 | + |
| 21 | +However, when cloud-based solutions are not viable, an on-premises or self-hosted solution is required to manage secrets effectively. |
| 22 | + |
| 23 | +### The criterias of making a choice |
| 24 | + |
| 25 | +* **Security:** Is there sensitive data that requires stronger protection than Kubernetes' default base64 encoding? |
| 26 | +* **Scalability:** What is the scale of the application, and how many secrets need to be managed? |
| 27 | +* **Expertise:** What level of experience does the team have with secret management tools? |
| 28 | +* **Integration:** How well does the solution integrate with existing tools and workflows? |
| 29 | +* **Ease of Use:** How easy is it to set up and manage the solution? |
| 30 | +* **Cost:** What are the costs associated with using the solution, including licensing, infrastructure, and maintenance? |
| 31 | + |
| 32 | +## Considered Options |
| 33 | + |
| 34 | +* **SOPS:** A simple and lightweight tool for managing secrets. It encrypts YAML, JSON, ENV, INI and BINARY files using a variety of backends (e.g., AWS KMS, GCP KMS, Azure Key Vault, age, and PGP). |
| 35 | +* **Sealed Secrets:** A Kubernetes-native solution that encrypts secrets using a controller and a public/private key pair. It is simple to use but tightly coupled to Kubernetes. |
| 36 | +* **HashiCorp Vault:** A feature-rich secret management solution that provides strong encryption, access control, and auditing capabilities. It supports various backends for storage. |
| 37 | + |
| 38 | +## Decision Outcome |
| 39 | + |
| 40 | +Chosen option: **HashiCorp Vault**, because it provides a comprehensive solution for managing secrets with strong encryption and access control. It integrates well with Kubernetes and supports secret rotation, making it suitable for managing sensitive data in a secure manner. Additionally, **HashiCorp Vault** offers a wide range of features, including dynamic secrets, leasing, and revocation, which enhance security and flexibility in managing secrets. |
| 41 | + |
| 42 | +The secrets in **HashiCorp Vault** can be accessed using **External Secrets Operator**, which allows for seamless integration with Kubernetes. This enables the possibility to exchange the secret management solution in the future without changing the way secrets are accessed in applications. |
| 43 | + |
| 44 | +**HashiCorp Vault** has a fixed based on the required package and it is reccomended to look into the pricing for the other external providers such as AWS KMS, Azure Key Vault, or GCP KMS to see if they are more cost-effective for your use case. The use of **External Secrets Operator** is the same regardless and is free to use. |
| 45 | + |
| 46 | +**SOPS** and **Sealed Secrets** are also good options, but they may not provide the same level of security and features as **HashiCorp Vault**. They require a well defined strategy for managing secrets and may not be as scalable or flexible as **HashiCorp Vault** which introduces additional complexity and will be harder to manage in the long run. |
| 47 | + |
| 48 | +### Consequences |
| 49 | + |
| 50 | +* Good, because: |
| 51 | + * vast range of features for managing secrets. |
| 52 | + * strong encryption and access control. |
| 53 | + * supports secret rotation and dynamic secrets. |
| 54 | + * integrates well with Kubernetes. |
| 55 | +* Bad, because: |
| 56 | + * requires additional setup and management compared to simpler solutions. |
| 57 | + * requires a license for enterprise features. |
0 commit comments