What would some of the pros and cons be of deploying vault on K8s vs deploying vault on external Ec2 instances?
Vault isn’t something that you can auto-scale for the most part. The “bottleneck” is usually the leader node, and the only solution for this is to upgrade the instance itself. That said, I’d still set a ASG on your EC2 instances. It’ll make it much easier to do a rolling upgrade of Vault nodes.
We have had a lot of talks about containerization of Vault both internally and with Hashicorp Architects (they full support it – although the list of supported versions is small). Internally we have come to the decision that the risks and complexity of containerization isn’t worth the savings of the few dollars of the cost of an EC2 instance.
A note with EC2 types – stay away from T-type instances. Golang doesn’t do well with dynamic spike resources that go away.
Thanks very much for your answer Aram. So EC2 backed by asg is the way to go then.
Yeah NLB → Target Group → EC2 w/ASG
Thank you very much Aram
I’ve yet to see any real benefit from running Vault within K8s. It adds complexity, has a bit of edges to support… and usually adds headache when trying to debug/performance tune.
If you are a very very mature Kubernetes shop, maybe if you have a mandate to containerize everything… but I highly suggest using bare VMs/instances like EC2.
thank you very much Mike