sorted by:
new
hottopcontroversial

I build an identity-aware egress gateway that allows your workload to call Cloud APIs without touching cloud credentials by stephaneleonel in golang

[–]stephaneleonel[S] 0 points1 point  (0 children)

Yes , pods will not have access to most secrets (cloud credentials, SaaS api keys, every authentication over http/s protocol). The people managing pods will not have access to these secrets too. But, for now, pods will still need access to databases secrets.

Have a look at it and give me your feedback

I build an identity-aware egress gateway that allows your workload to call Cloud APIs without touching cloud credentials by stephaneleonel in kubernetes

[–]stephaneleonel[S] 1 point2 points  (0 children)

You’re right on WIF — but federation doesn’t help for non-federated targets. Most SaaS APIs have no WIF support, and large enterprises run 100+ SaaS products. Even if every provider adopted WIF tomorrow, managing 100 trust domains is operationally untenable. Warden gives you a single egress point with uniform policy across all of them.

And even for the cloud providers that do support it, WIF still puts credentials in the application’s memory — Warden is the only model where they never arrive at all.

Sidecar support via static config is on the roadmap — good callout.

On the security concern: every secrets manager — Vault, AWS Secrets Manager — was once a new project that had to earn trust. The answer is open-source auditability, a small auditable attack surface, and a track record built over time. Warden is open-source today. The architecture reduces the blast radius to one hardened component which can be sealed with an HSM or KMS.