BanzaiCloud Bank-Vaults
In this article I will show usage of Bank-Vaults prepared with BANZAICLOUD (now part of Cisco)team. Bank-Vaults have three components vault-operator , vault-secrets-webhook, and Hashicorp Vault itself.
Vault Operator — after deployment of this operator we can install and configure Hashicorp vault in HA or single mode with CRD of operator.
Vault Secret Webhook — With help of this webhook vault-env init container brings secrets to in memory of POD and with it microservice app can get secret key value from Hashicorp Vault.
Hashicorp Vault — Wonderful application which gives us possibility store our secrets with multiple ways (Very clear API).
With Bank-Vaults we don’t need vault-agent sidecar container and we cannot get secret real value inside of the microservice container.
To see real illustration how it works just look at the following gif which I got from their official page
The code files which I have used located in this GitHub repository. I have used GC bucket as backend with auto unseal in HA mode. For authentication I have used GitHub and Google OIDC.
We can see the real simulation in the following video. I hope it will be useful to all of us.