Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

README request: CredHub vs Vault #12

Closed
drnic opened this issue Mar 9, 2017 · 9 comments

Comments

Projects
None yet
9 participants
@drnic
Copy link
Contributor

commented Mar 9, 2017

It would be awesome to summarize "CredHub vs Vault" in the readme. This will help explain to everyone why we are going down a path that's independent of the Vault ecosystem of existing tooling; and for non-CF/BOSH users it would explain why they'd deploy CredHub rather than Vault.

@cf-gitbot

This comment has been minimized.

Copy link

commented Mar 9, 2017

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/141440251

The labels on this github issue will be updated when the story is started.

@danjahner

This comment has been minimized.

Copy link
Member

commented Mar 13, 2017

Hi Dr. Nic -

I am a bit skeptical about whether a 'CredHub vs. Vault' document is valuable. I certainly agree that we need better documentation of our goals and use-cases, which is something on my to-do list.

The goal of the CredHub project is to provide an extendable and well integrated open source credential management solution for Cloud Foundry use-cases. We felt that we could cover these use-cases better by implementing a new product as opposed to wrapping Vault. Beyond UX and dependency concerns, some of the features that CF users want, e.g. HSM support, are only available in the commercial distribution of Vault.

All of that said - our goal is not to tell you not to use Vault. We are providing a product that will hopefully cover these use-cases very well, but you will always have the option to use Vault + wrappers if that is your preference.

Hope that helps.
Dan

@drnic

This comment has been minimized.

Copy link
Contributor Author

commented Mar 14, 2017

@danjahner danjahner added under review and removed unscheduled labels Mar 20, 2017

@domdom82

This comment has been minimized.

Copy link

commented Sep 19, 2017

this is an interesting one! actually, we are currently investigating whether to use credhub natively or wrap vault (the free version) in a bosh release. vault seems more mature and established atm, credhub may become the de facto standard for cf-based deployments (does it?).

@drnic is there already a version of that readme available?
thanks!

@Freakin

This comment has been minimized.

Copy link

commented Sep 25, 2017

@domdom82 There is an existing Vault bosh release (Thanks @drnic) so don't create your own
https://github.com/cloudfoundry-community/vault-boshrelease

@wfernandes

This comment has been minimized.

Copy link
Member

commented Jul 21, 2018

Seems like this issue is getting a lot of traffic since it is the number 1 result when searching vault vs. credhub.
@danjahner Can we link the document/readme (if one exists) describing the goals and use cases for credhub as mentioned in this comment?

@v6

This comment has been minimized.

Copy link

commented Aug 10, 2018

// , This question has come up at some important architecture meetings I have attended, and I didn't know what PCF CredHub was.

This page is also the top result for a search for credhub vs on duckduckgo.com:

https://duckduckgo.com/?q=credhub+vs&t=hi&ia=web

It's worth addressing, even in a more general "Credhub vs. Other Tools" type of document.

It seems that Vault is more of a general-purpose tool designed without any particular Cloud Platform, Cloud Service or OS in mind, and it seems like PCF CredHub is the best choice for architecture tied to PCF. But I would welcome any guidance "from the horse's mouth."

@damzog

This comment has been minimized.

Copy link

commented Aug 15, 2018

Let me add that other tools like Ansible or Jenkins come with a hashicorp vault integration but do not yet integrate with credhub (if I was mean I would mention that even concourse supported vault before credhub integration was added). So you end up with having both.

It would be nice if bosh and cloud foundry supported vault, too.

@jasondt

This comment has been minimized.

Copy link

commented Aug 21, 2018

If vault and credhub both implement the config spec, I don't see why one cant use the other as a backend. Is there something about the storage model in credhub that makes it challenging to support vault as a backend? I'm comfortable with storing credentials in vault because they're only stored encrypted in memory and never sent over a network, but I can't find anything on credhub comparing the approach. Credhub having the goals of easy of use and built in backup process that seem to have dictated here, but the whole concept of backups can't exist in the leasing model use case for credentials where they are created on demand based on user roles usually in Active Directory and removed immediately after use. Vault does all that with spring cloud/integration support too. We really need a comparison. Those are necessary features for us after being in the news over a breach last year, and really I just assumed this was the model implemented. I'd really like to know why if it wasn't, and what opportunity there is for adding that feature. It could even be an issue I or one of our teams could take on if we had some background

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.