Skip to content

Comparison

A vault injector retrieves credentials from a vault database engine and injects them into pods' environment variables. This document compares different existing tools with the new vault injector being developed.

Summary

1. Why Vault-Db-Injector?

Before comparing Vault-Db-Injector with existing tools, we would like to share that we initially investigated various vault injector solutions designed to fetch credentials from Vault.

After extensive research, we found no tools that matched our needs, and most of them were difficult to contribute to.

Vault-Db-Injector is not a replacement for any existing vault injector but a tool more focused on security and the database engine.

We didn't intend to reinvent the wheel but designed a tool that perfectly matches our needs and shared it with those who might be interested.

2. Tools Comparison

Here are the major tools that we compare our injector to:

3. Our needs

Here are our needs by importance in our research :

  • Handle database engine
  • Injection through environment variables
  • Easy to use for developpers
  • Audit logging
  • Lease can be automatically renewed and revoked
  • State is available for debugging purpose and manual revocation also
  • Working with a single deployment

4. Comparison Table

Feature Vault-Db-Injector Vault Agent Injector Bank Vault (webhook) Vals Operator Vault CSI Provider
Credential Source Vault Database Engine Multiple Engines Secret Engine Multiple Engine K/V
Engine Database All K/V Database and K/V K/V
Injection Method Pod Environment Vars Sidecar Container / Init Container Init Container (in-memory) Kubernetes Secrets CSI Volume
Dynamic Secret Rotation 🚫 Not needed βœ… Yes βœ… Yes ❌ No βœ… Yes
Access Control Role-Based Policies Role-Based Policies Role-Based Policies Role-Based Policies Role-Based Policies
Configuration Complexity 🟒 Low πŸ”΄ Very High 🟒 Low 🟠 Moderate 🟠 Moderate
User Complexity 🟒 Low πŸ”΄ Very High 🟒 Low 🟠 Moderate 🟒 Low
Operation Mode Deployment Deployment Deployment Operator Operator
Configuration Mode Annotations Annotations Through Env CRDS CRDS
Handle Environment βœ… Yes ❌ No βœ… Yes βœ… Yes βœ… Yes (secretRef)
Secret Encryption βœ… Yes βœ… Yes βœ… Yes βœ… Yes βœ… Yes
Audit Logging βœ… Yes βœ… Yes βœ… Yes βœ… Yes βœ… Yes
Accessible state βœ… Yes ❌ No ❌ No ❌ No ❌ No
Lease Renew βœ… Yes βœ… Yes - πŸ€” With restarting -
Lease Revocation βœ… Yes ❌ No - ❌ No -
Community Support 🌱 Growing 🟒 Established 🟠 Moderate 🟠 Moderate 🟒 Established

4.1. Key

  • βœ… Yes
  • ❌ No
  • πŸ€” Consideration (Intermediate)
  • 🚫 Not Needed
  • 🟒 Low
  • 🟠 Moderate
  • πŸ”΄ High

5. Conclusion

This comparison highlights the unique features and capabilities of the new vault injector. While similar in many ways to existing solutions, the new tool offers dynamic secret rotation without requiring pod restarts, moderate configuration complexity, and robust access control, making it a compelling choice for managing secrets in Kubernetes environments.