Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

backport of commit 25934124a046199f7434f9c61e1454bcbef08cdf #19836

Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion website/content/docs/platform/k8s/csi/index.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -148,4 +148,4 @@ the Secret Provider Class named `vault-db-creds`.
## Tutorial

Refer to the [Vault CSI Provider](/vault/tutorials/kubernetes/kubernetes-secret-store-driver)
tutorial to learn how to set up Vault and its depedencies with a Helm chart.
tutorial to learn how to set up Vault and its dependencies with a Helm chart.
6 changes: 3 additions & 3 deletions website/content/docs/platform/k8s/csi/installation.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ Then install the chart and enable the CSI feature by setting the
$ helm install vault hashicorp/vault --set="csi.enabled=true"
```

Upgrades may be performed with `helm upgrade` on an existing install. Please
Upgrades may be performed with `helm upgrade` on an existing installation. Please
always run Helm with `--dry-run` before any install or upgrade to verify
changes.

Expand Down Expand Up @@ -116,8 +116,8 @@ users:
EOF
```

Add the security context constraint for the applicaiton.
Add the security context constraint for the application.

```shell-session
$ kubectl apply -f application-scc.yaml
```
```
22 changes: 22 additions & 0 deletions website/content/docs/platform/k8s/index.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,28 @@ There are several ways to try Vault with Kubernetes in different environments.

- [Vault on Kubernetes Deployment Guide](/vault/tutorials/kubernetes/kubernetes-raft-deployment-guide) covers the steps required to install and configure a single HashiCorp Vault cluster as defined in the [Vault on Kubernetes Reference Architecture](/vault/tutorials/kubernetes/kubernetes-reference-architecture).

### High Level Comparison of Integrations

There are currently 3 different integrations to help Kubernetes workloads seamlessly consume secrets from Vault, without the need to modify the application to interact directly with Vault. Each integration addresses slightly different use-cases. The following is a brief overview of the strengths of each integration.

#### Agent Injector

- No durable secret storage outside Vault. All secrets written to disk are in ephemeral in-memory volumes.
- No highly privileged service accounts required. All secrets are fetched with the pod's own service account without the need for any other service accounts to impersonate it.
- More mature solution, with proven production record and advanced features like templating,
wider array of auth methods, etc.

#### Vault Secrets Operator (public beta)

- More native UX for app developers. Workloads can mount Kubernetes secrets without adding any Vault-specific configuration.
- Reduced load on Vault. Secrets are synced per CRD instead of per consuming pod.
- Better Vault secret availability. Kubernetes secrets act as a durable cluster-local cache of Vault secrets.

#### Vault CSI Provider

- The CSI driver that the provider is based on is vendor neutral.
- No durable secret storage outside Vault if the secret sync feature isn't used. All secrets written to disk are in ephemeral in-memory volumes.

### Documentation

- [Vault on Kubernetes Reference Architecture](/vault/tutorials/kubernetes/kubernetes-reference-architecture) provides recommended practices for running Vault on Kubernetes in production.
Expand Down
Loading