VSO syncing vault secrets as native kubernetes secrets

VSO syncing vault secrets as native kubernetes secrets and storing them in etcd.
Without vault also we are getting secrets from etcd right which is not encrypted only encoded ones and anone having access to cluster can access that secret like below
$ kubectl get secret vso-handled -o json | jq “.data | map_values(@base64d)”

{
“_raw”: “{"data":{"password":"bestpasswordever","username":"jalbertson"},"metadata":{"created_time":"2024-01-25T15:48:31.871429498Z","custom_metadata":null,"deletion_time":"","destroyed":false,"version":1}}”,
“password”: “bestpasswordever”,
“username”: “jalbertson”
}
so what is the benefit if syncing vault secrets as kubernetes secrets

The main benefit is that Vault and VSO take care about secrets lifecycle: create, rotate, audit.
Per the comparison chart Kubernetes Vault integration via Sidecar Agent Injector vs. Vault Secrets Operator vs. CSI provider you can consider etcd encription at-rest or using another integration methods.

@muzzy
Thanks for the reply
I do agree that VSO will take care of the lifecycle but using encrypting methods for etcd at the end will be an additional task right
Basically to avoid that in our clusters we are using vault which provides huge benefits of secret management
I can use vault agent also but i felt VSO will make it easier to fetch secrets but at the end it is having them in etcd and anyone can access secrets
Is that a drawback for VSO method?

“Anyone” normally doesn’t have access to etcd.

But yes, having unencrypted secrets could be considered as a weakness.

Thanks @muzzy for the reply
Anyone in the sense anyone who is having cluster level access can access etcd