Vault for secret keeping? CNCF End User Technology Radar spots surprising interest


The CNCF End User Community has released its fourth technology radar, this time scanning the tools and approaches to manage authentication credentials such as APIs, keys and tokens.

Despite the expectation of the radar report’s authors that most companies would just use whichever secret management mechanism their cloud provider offers, the results were much more fragmented and saw HashiCorp Vault coming out on top. 

The radar team said they regard Vault to be a “rather complex tool with high operational burden”, so the broadening adoption and developers’ willingness to use came as a surprise. Given the perceived complexity, the report speculated organisations might be opting for Vault so they do not run into the pains of building and maintaining a custom tool. Vault presents a cloud-agnostic solution which might appeal to those wanting to avoid cloud vendor lock or needing to work in multi-cloud setups. 

Certificate Manager was another unexpected find in the adopt section of the radar, as it is relatively new on the scene and has a very narrow focus. Its emergence led the radar team to believe that certificate management is currently at the top of most adopters’ minds. Good integration with Kubernetes and other tools within the ecosystem made it easy to include, meaning organisations might be drawn to it for a quick solution, the report found. 

CNCF’s incubating Certificate Manager project, SPIRE, didn’t make the radar. In addition to it not reaching feature stability, the focus on identity provisioning was cited in the report as a reason for it not making the cut. Also not included were encrypted data bags in DevOps tools.The report said these serve the purpose of secret management, but “many likely don’t think of them as secrets management tools but rather part of another product that helps with secrets”.

AWS Secrets Manager and AWS KMS also made it into the adopt category of the tech radar, while the trial section included Bitnami Sealed Secrets and encrypted repositories. Mozilla’s sops and GCP landed in the assess section, though half of the organisations in the report that mentioned sops would recommend giving it a closer look.

The CNCF End User Technology Radar was first introduced in 2020. It is inspired by Thoughtworks’ format of the same name and looks to provide insight into which tools the wider user community is utilising, so that those new to the ecosystem get a rough idea about what works for others before they start their own evaluation process. Results are grouped into categories including adopt, trial, assess and hold, showing which tools are clearly recommended, those meriting at least a test run, those that are promising but not necessarily widely deployed in projects, and those who are best avoided. 

Compared to other radars it is driven by community-input and focused on specific use cases, which is why the release frequency is a little higher than usual to also cover different scenarios. In the latest report, “29 companies contributed 79 data points” to come up with recommendations for secret management. Earlier versions covered Continuous Delivery, Observability, and Database Storage. 

The radar reports provide a rough guide to the organisations involved in the user group, but the results should be taken with a pinch of salt, as there are no details on facts such as when a company evaluated a certain tool, which is potentially vital to consider given the furious pace that some projects can evolve. Another criticism is that there’s no input from organisations on the features some may feel are missing from specific tools. Some might just have fallen by the wayside because of the technology stack it had to fit in and could be well-suited for different setups.