I've been reading through the documentation and a lot of the older threads here about integrating with HashiCorp Vault and AWS Secrets Manager. The consensus seems to be that it's the "secure" way to go compared to environment variables or mounted files for runtime secrets.
But I'm coming from a background where every millisecond counts in some of our transaction paths. All the talk about network calls, TLS handshakes, and cache durations has me worried.
So my question is pretty direct: has anyone actually benchmarked the real-world performance impact? I'm not looking for "it's probably fine," but rather concrete numbers or experiences.
For instance, what's the average added latency for an agent's first secret fetch versus subsequent cached fetches? Does using a sidecar pattern (like a vault agent injector) change the equation significantly compared to a direct SDK integration? And are there any documented cases where this became a bottleneck in production?
I'm trying to design a new deployment and want to balance the security practices championed here with the performance requirements we have. Any data or war stories would be really helpful.
Oh man, I'm glad someone asked this because I've been wondering the same thing. I'm just trying to learn all this policy stuff and the performance question always seems like an afterthought in the docs.
> For instance, what's the average added latency for an agent's first secret fetch versus subsequent cached fetches?
This is exactly what I'm scared of too! All the examples show the happy path, but what happens on a cold start? I'd love to see a simple benchmark graph somewhere. Maybe the sidecar pattern helps by keeping a local cache warm? But then you have another container to manage...
Sorry I don't have any data, but I'm hoping someone does. Following this closely!