Comparison
A vault injector retrieves credentials from a vault database engine and injects them into pods' environment variables. This document compares different existing tools with the new vault injector being developed.
Summary
1. Why Vault-Db-Injector?
Before comparing Vault-Db-Injector with existing tools, we would like to share that we initially investigated various vault injector solutions designed to fetch credentials from Vault.
After extensive research, we found no tools that matched our needs, and most of them were difficult to contribute to.
Vault-Db-Injector is not a replacement for any existing vault injector but a tool more focused on security and the database engine.
We didn't intend to reinvent the wheel but designed a tool that perfectly matches our needs and shared it with those who might be interested.
2. Tools Comparison
Here are the major tools that we compare our injector to:
3. Our needs
Here are our needs by importance in our research :
- Handle database engine
- Injection through environment variables
- Easy to use for developpers
- Audit logging
- Lease can be automatically renewed and revoked
- State is available for debugging purpose and manual revocation also
- Working with a single deployment
4. Comparison Table
| Feature | Vault-Db-Injector | Vault Agent Injector | Bank Vault (webhook) | Vals Operator | Vault CSI Provider |
|---|---|---|---|---|---|
| Credential Source | Vault Database Engine | Multiple Engines | Secret Engine | Multiple Engine | K/V |
| Engine | Database | All | K/V | Database and K/V | K/V |
| Injection Method | Pod Environment Vars | Sidecar Container / Init Container | Init Container (in-memory) | Kubernetes Secrets | CSI Volume |
| Dynamic Secret Rotation | π« Not needed | β Yes | β Yes | β No | β Yes |
| Access Control | Role-Based Policies | Role-Based Policies | Role-Based Policies | Role-Based Policies | Role-Based Policies |
| Configuration Complexity | π’ Low | π΄ Very High | π’ Low | π Moderate | π Moderate |
| User Complexity | π’ Low | π΄ Very High | π’ Low | π Moderate | π’ Low |
| Operation Mode | Deployment | Deployment | Deployment | Operator | Operator |
| Configuration Mode | Annotations | Annotations | Through Env | CRDS | CRDS |
| Handle Environment | β Yes | β No | β Yes | β Yes | β Yes (secretRef) |
| Secret Encryption | β Yes | β Yes | β Yes | β Yes | β Yes |
| Audit Logging | β Yes | β Yes | β Yes | β Yes | β Yes |
| Accessible state | β Yes | β No | β No | β No | β No |
| Lease Renew | β Yes | β Yes | - | π€ With restarting | - |
| Lease Revocation | β Yes | β No | - | β No | - |
| Community Support | π± Growing | π’ Established | π Moderate | π Moderate | π’ Established |
4.1. Key
- β Yes
- β No
- π€ Consideration (Intermediate)
- π« Not Needed
- π’ Low
- π Moderate
- π΄ High
5. Conclusion
This comparison highlights the unique features and capabilities of the new vault injector. While similar in many ways to existing solutions, the new tool offers dynamic secret rotation without requiring pod restarts, moderate configuration complexity, and robust access control, making it a compelling choice for managing secrets in Kubernetes environments.