VSHN Managed Secret and PKI Management

Problem

We need to provide a secret and PKI management solution on Kubernetes with the following features:

  • Secret storage with an API

  • PKI management with an API

  • Request and use secrets and certificates from this store in OpenShift on demand

Solutions

There are currently multiple solutions available to satisfy above mentioned features:

All listed solutions meet the requirements. We therefore need to dig deeper to figure out which solution is the best for us.

Analysis Vault

Vault is the most popular and widespread solution on the market. It is probably the most feature-complete solution as of now. However, it recently changed it’s license to BSL. This unfortunately limits how we can offer Vault to our customers.

Advantages

  • The de facto industry standard

  • Self-Hostable

  • Supported by many applications and libraries

Disadvantages

  • Not open-source

  • Self hosted solution is only available in the Enterprise tier. Pricing for that tier is unknown and requires contacting their sales team

Analysis OpenBao

OpenBao is a community-driven fork of Vault and managed by the Linux Foundation. It currently is compatible with Vault. However, this might change in the future, as Vault and OpenBao will develop independently.

Advantages

  • Open-Source

  • Self-Hostable

  • Free of charge

  • Compatible with the Vault API

  • Backed by the Linux Foundation

Disadvantages

  • Might deviate from Vault in the future and not be compatible anymore

Analysis Infisical

Infisical is an alternative solution that can also be self-hosted. It offers a free and paid version.

Advantages

  • Open-Source

  • Self-Hostable

Disadvantages

  • Many key features are not open-source and require the paid version:

    • Secret Versioning

    • RBAC

    • Secret Rotation

    • SAML SSO

    • IP Allowlisting

    • No support for PKI management

  • Not compatible with the Vault API

Decision

We use OpenBao

Rationale

OpenBao is the only true Open-Source solution and thanks to the compatibility with the Vault API is also very well established in the industry. Furthermore it is maintained by the Linux Foundation, which gives us high confindence, that the project will not be abandonded quickly.

The licensing terms of Vault and the unknown pricing make it really hard to know, how much it would actually cost us, to run this service for our customers.

Altough Infisical looks like a very promising alternative, the incompatibility with the Vault API as well as the limited feature set on the free version is a huge drawback for us.