README request: CredHub vs Vault #12
Comments
|
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/141440251 The labels on this github issue will be updated when the story is started. |
|
Hi Dr. Nic - I am a bit skeptical about whether a 'CredHub vs. Vault' document is valuable. I certainly agree that we need better documentation of our goals and use-cases, which is something on my to-do list. The goal of the CredHub project is to provide an extendable and well integrated open source credential management solution for Cloud Foundry use-cases. We felt that we could cover these use-cases better by implementing a new product as opposed to wrapping Vault. Beyond UX and dependency concerns, some of the features that CF users want, e.g. HSM support, are only available in the commercial distribution of Vault. All of that said - our goal is not to tell you not to use Vault. We are providing a product that will hopefully cover these use-cases very well, but you will always have the option to use Vault + wrappers if that is your preference. Hope that helps. |
|
Ok thanks for writing that up. I think much of what wrote would go well in
the readme. Copy + paste FTW.
|
|
this is an interesting one! actually, we are currently investigating whether to use credhub natively or wrap vault (the free version) in a bosh release. vault seems more mature and established atm, credhub may become the de facto standard for cf-based deployments (does it?). @drnic is there already a version of that readme available? |
|
@domdom82 There is an existing Vault bosh release (Thanks @drnic) so don't create your own |
|
Seems like this issue is getting a lot of traffic since it is the number 1 result when searching |
|
// , This question has come up at some important architecture meetings I have attended, and I didn't know what PCF CredHub was. This page is also the top result for a search for https://duckduckgo.com/?q=credhub+vs&t=hi&ia=web It's worth addressing, even in a more general "Credhub vs. Other Tools" type of document. It seems that Vault is more of a general-purpose tool designed without any particular Cloud Platform, Cloud Service or OS in mind, and it seems like PCF CredHub is the best choice for architecture tied to PCF. But I would welcome any guidance "from the horse's mouth." |
|
Let me add that other tools like Ansible or Jenkins come with a hashicorp vault integration but do not yet integrate with credhub (if I was mean I would mention that even concourse supported vault before credhub integration was added). So you end up with having both. It would be nice if bosh and cloud foundry supported vault, too. |
|
If vault and credhub both implement the config spec, I don't see why one cant use the other as a backend. Is there something about the storage model in credhub that makes it challenging to support vault as a backend? I'm comfortable with storing credentials in vault because they're only stored encrypted in memory and never sent over a network, but I can't find anything on credhub comparing the approach. Credhub having the goals of easy of use and built in backup process that seem to have dictated here, but the whole concept of backups can't exist in the leasing model use case for credentials where they are created on demand based on user roles usually in Active Directory and removed immediately after use. Vault does all that with spring cloud/integration support too. We really need a comparison. Those are necessary features for us after being in the news over a breach last year, and really I just assumed this was the model implemented. I'd really like to know why if it wasn't, and what opportunity there is for adding that feature. It could even be an issue I or one of our teams could take on if we had some background |
It would be awesome to summarize "CredHub vs Vault" in the readme. This will help explain to everyone why we are going down a path that's independent of the Vault ecosystem of existing tooling; and for non-CF/BOSH users it would explain why they'd deploy CredHub rather than Vault.
The text was updated successfully, but these errors were encountered: