VSO CSI driver documentation #691
Conversation
Vercel Previews Deployed
|
Broken Link CheckerNo broken links found! 🎉 |
digivava
changed the title
content/vault/v1.20.x/content/docs/deploy/kubernetes/csi/index.mdx
Outdated
Show resolved
Hide resolved
content/vault/v1.20.x/content/docs/deploy/kubernetes/csi/index.mdx
Outdated
Show resolved
Hide resolved
content/vault/v1.20.x/content/docs/deploy/kubernetes/csi/index.mdx
Outdated
Show resolved
Hide resolved
content/vault/v1.20.x/content/docs/deploy/kubernetes/vso/index.mdx
Outdated
Show resolved
Hide resolved
content/vault/v1.20.x/content/docs/deploy/kubernetes/vso/installation.mdx
Outdated
Show resolved
Hide resolved
content/vault/v1.20.x/content/docs/deploy/kubernetes/vso/installation.mdx
Outdated
Show resolved
Hide resolved
content/vault/v1.20.x/content/docs/deploy/kubernetes/vso/installation.mdx
Outdated
Show resolved
Hide resolved
content/vault/v1.20.x/content/docs/deploy/kubernetes/vso/vso-csi.mdx
Outdated
Show resolved
Hide resolved
content/vault/v1.20.x/content/docs/deploy/kubernetes/vso/csi/index.mdx
Outdated
Show resolved
Hide resolved
content/vault/v1.20.x/content/docs/deploy/kubernetes/vso/csi/setup.mdx
Outdated
Show resolved
Hide resolved
content/vault/v1.20.x/content/docs/deploy/kubernetes/vso/csi/setup.mdx
Outdated
Show resolved
Hide resolved
content/vault/v1.20.x/content/docs/deploy/kubernetes/vso/csi/setup.mdx
Outdated
Show resolved
Hide resolved
content/vault/v1.20.x/content/docs/deploy/kubernetes/vso/csi/setup.mdx
Outdated
Show resolved
Hide resolved
Co-authored-by: Sarah Chavis <[email protected]>
…etup.mdx Co-authored-by: Sarah Chavis <[email protected]>
content/vault/v1.20.x/content/docs/deploy/kubernetes/vso/csi/setup.mdx
Outdated
Show resolved
Hide resolved
content/vault/v1.20.x/content/docs/deploy/kubernetes/vso/csi/setup.mdx
Outdated
Show resolved
Hide resolved
content/vault/v1.20.x/content/docs/deploy/kubernetes/vso/csi/setup.mdx
Outdated
Show resolved
Hide resolved
content/vault/v1.20.x/content/docs/deploy/kubernetes/comparisons.mdx
Outdated
Show resolved
Hide resolved
Co-authored-by: Sarah Chavis <[email protected]>
Co-authored-by: Sarah Chavis <[email protected]>
…icorp/web-unified-docs into VAULT-38324/csi-driver-docs-for-vso
content/vault/v1.20.x/content/docs/deploy/kubernetes/comparisons.mdx
Outdated
Show resolved
Hide resolved
|
|
||
| </Tab> | ||
|
|
||
| <Tab heading="I/O, CPU, and memory consumption"> |
There was a problem hiding this comment.
Maybe just "Resource consumption"?
| | Low resource consumption. I/O, CPU, Memory | Yes | Yes | No | ||
| | Secret data limited to ephemeral volumes | No, except with CSI driver | Yes | Yes | ||
| | Pod Autoscaling dependent on Vault availability | No | Yes | Yes | ||
| | Adoption of the K8s operator model | Yes | Yes | No |
There was a problem hiding this comment.
How does the operator model affect the use case recommendation?
There was a problem hiding this comment.
Yeah the intent seems to be covered by "Kubernetes-native" above, so I'll remove this row.
content/vault/v1.20.x/content/docs/deploy/kubernetes/comparisons.mdx
Outdated
Show resolved
Hide resolved
| The [Vault Agent Injector](/vault/docs/platform/k8s/injector) injects Vault Agent sidecar containers into pods. | ||
| The Agent containers authenticate with Vault and render secrets to a shared memory volume for consumption by application containers. | ||
|
|
||
| **Best for:** Applications requiring dynamic secret rotation or direct Vault Agent functionality. |
There was a problem hiding this comment.
Vault Secrets Operator does a lot with dynamic secret rotation too (and is arguably better in some cases with the rollout-restart functionality), so I'm not sure that's a standout feature of Vault Agent Injector.
The standout things in my mind for Vault Agent Injector are that Agent's templating can reference multiple Vault secrets in one template, and it probably supports the most auth methods through Agent's auto-auth.
|
|
||
| | Limitation | Vault Secrets Operator | Vault Secrets Store CSI provider | Vault Agent Injector | ||
| | ------------------------------------------------- | --------------------------------- | ---------------------------- | -------------- | ||
| | Simple configuration | Yes | Yes | No |
There was a problem hiding this comment.
"Simple configuration" is pretty subjective here; I consider all of them complicated in their own ways 🙂. I personally find it more complex to tie multiple yaml configs together for Vault Secrets Operator and CSI Provider, vs having all the config in the deployment yaml annotations. Others may find the Agent templating language more complex 🤷.
We could say something about ease of use in applications instead? e.g. being able to read and use k8s volumes vs only reading from a file with Agent Injector.
|
|
||
| </Tab> | ||
|
|
||
| <Tab heading="I/O, CPU, and memory consumption"> |
There was a problem hiding this comment.
Maybe just "Resource consumption"?
| - **Vault Secrets Operator** - Low consumption. | ||
| - **Vault Secrets Store CSI provider** - Medium consumption. |
There was a problem hiding this comment.
What are the reasons for the difference in consumption for these two?
|
|
||
| - **Vault Secrets Operator** - Low consumption. | ||
| - **Vault Secrets Store CSI provider** - Medium consumption. | ||
| - **Vault Agent Injector** - High consumption due to the number of sidecar containers per pod. |
There was a problem hiding this comment.
It's just one sidecar and/or one init container per Pod, which aren't running simultaneously; maybe just drop the "per pod" bit?
Side note: Do we have data showing high cpu and memory usage for Agent? The default CPU and memory resource requests are pretty high, but they can be tuned down fairly low IIRC.
| Integrations that use ephemeral storage have variable availability because | ||
| secret access depends on Vault availability. | ||
|
|
||
| - **Vault Secrets Store CSI provider** - Variable availability. | ||
| - **Vault Agent Injector** - Variable availability. | ||
| - **Vault Secrets Operator** - Best availability. Kubernetes Secrets act as durable cache. |
There was a problem hiding this comment.
secret access depends on Vault availability.
Isn't that true for any of these? i.e. nothing can fetch secrets if Vault is down. If a secret is fetched from Vault and rendered, Vault subsequently going down isn't going to clear the rendered secret for CSI provider or Agent, is it?
Integrations using ephemeral storage means the rendered secret lifecycle is tied to the Pod lifecycle, instead of being independent for VSO, maybe re-frame along those lines?
Co-authored-by: Theron Voran <[email protected]>
This PR contains documentation for a new feature being added to the VSO Helm chart, a HashiCorp-maintained "CSI driver".
(Do not merge until:
I also updated other relevant pages to link to it for easier discoverability.