Bank-Vaults Introduction

Márk Sági-Kazár

2023-09-06 @ CNCF TAG Security weekly

whoami

Márk Sági-Kazár

Open Source Tech Lead @ Cisco

CNCF Ambassador

Bank-Vaults core maintainer

@sagikazarmark

https://sagikazarmark.hu

hello@sagikazarmark.hu

Problem

Kubernetes secret management is tricky

• Secret distribution
• Secret storage
• Managing access to secrets

Secret distribution

• Synchronize secrets to Kubernetes from central store (External Secrets)
• Inject secrets into containers (Bank-Vaults)
• Load secrets directly from store by the application (store specific SDKs)

History

Banzai Cloud

Mission: Help companies with digital transformation

Solution: All-in-one platform to run containerized applications

Enterprises need solutions to specific problems

Bank-Vaults was born

• It was part of the platform initially
• “Run your app, we will take care of secret management”
• Bank-Vaults became an independent project (2018)
  • Manage Hashicorp Vault on Kubernetes
  • Inject secrets directly into pods
• It quickly became our most popular Open Source project

Bank-Vaults

• Bank-Vaults CLI
• Vault Operator
• Secret injection webhook
• Vault Go SDK
• …more coming

Bank-Vaults CLI

• CLI tool to configure Vault
• Init, unseal, configure
• Declarative configuration in YAML
• Advanced features, like HSM and KMS for unsealing

Vault Operator

• Operate Vault on Kubernetes
• Manage unsealing and configuration using Bank-Vaults CLI

Secret injection webhook

• Mutate pods: inject a binary into containers
• Replace vault:path/to/secret formatted strings in env vars/files
• Many more features (inject vault token, mutate secrets/configmaps, etc)

Demo

Community & adoption

• Used at several companies in production
• Vibrant community on Slack
• Several external contributors
• Roadmap is driven by community feedback

Future plans

• Secret synchronization between stores
• Broaden secret store support (where applicable)
• WASM provider support

Useful links

• GitHub organization: https://github.com/bank-vaults
• Documentation: https://bank-vaults.dev
• Roadmap: https://github.com/orgs/bank-vaults/projects/5
• CNCF sandbox application: https://github.com/cncf/sandbox/issues/54

Thank you

Any questions?