Calendar Favorite 1 Streamline Icon:  Mark Your Calendars: The next VSecM Contributor Sync will be on... Thursday, 2024-05-30 at 8:00a Pacific time.
Rating Star 1 Streamline Icon:  Star VMware Secrets Manager to show your support. Help us reach out to even more people with this amazing tech.

ADR-0003: VSecM Will Be Scoped to Work on Kubernetes Only

{{ /* | Protect your secrets, protect your sensitive data. : Explore VMware Secrets Manager docs at </ <>/ keep your secrets… secret >/ <>/’ Copyright 2023-present VMware Secrets Manager contributors. >/’ SPDX-License-Identifier: BSD-2-Clause */ }}

  • Status: accepted
  • Date: 2024-05-09
  • Tags: integration

Link Context and Problem Statement

VMware Secrets Manager leverages SPIFFE as its identity control plane. SPIFFE is platform and infrastructure agnostic; so if we want we can add support for non-Kubernetes environments too.

However, this would mean the project will need to use alternatives to its Kubernetes tooling (such as ClusterSPIFFEIDs, ServiceAccounts, Kubernetes RBAC, and similar)

This will increase the scope of the project a lot.

At least for version 1.0, we shall not be considering a non-Kubernetes solution.

This decision may be revisited when we reach 1.0 and project gains adequate maturity, and there are not many major features to implement.

Link Decision Drivers

  • Increase in scope and complexity
  • Increase in the attack surface
  • Increase in unit and integration testing needs

Link Considered Options

  1. No Kubernetes work until version 1.0
  2. Provide limited support, offering a subset of features.
  3. Plan for non-Kubernetes support anyway.
  4. Create an experimental branch and work on it without any commitments.

Link Decision Outcome

Chosen option: Option 1, because of increased scope not matching our limited time and resources; and also because we’d rather keep the project secure and well-tested.

Link Positive Consequences

  • Less scope means more focus.
  • Less complexity in the project.
  • The Kubernetes machinery can do a lot of the heavy-lifting.

Link Negative Consequences

  • The project will not solve secrets management need of those who will not use Kubernetes.



Link ADRs

You can view the ADRs by browsing this following list:

edit this page ✏️