{"id":31904121,"url":"https://github.com/cloudfoundry-community/safe-boshrelease","last_synced_at":"2025-10-13T13:47:29.933Z","repository":{"id":12883617,"uuid":"73042870","full_name":"cloudfoundry-community/safe-boshrelease","owner":"cloudfoundry-community","description":"A simplified HA Vault intended to be used with `safe`","archived":false,"fork":false,"pushed_at":"2025-07-21T21:48:28.000Z","size":147,"stargazers_count":8,"open_issues_count":8,"forks_count":9,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-07-21T23:24:15.744Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cloudfoundry-community.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2016-11-07T04:41:59.000Z","updated_at":"2025-07-02T19:24:40.000Z","dependencies_parsed_at":"2025-07-02T20:25:06.131Z","dependency_job_id":null,"html_url":"https://github.com/cloudfoundry-community/safe-boshrelease","commit_stats":null,"previous_names":[],"tags_count":15,"template":false,"template_full_name":null,"purl":"pkg:github/cloudfoundry-community/safe-boshrelease","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudfoundry-community%2Fsafe-boshrelease","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudfoundry-community%2Fsafe-boshrelease/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudfoundry-community%2Fsafe-boshrelease/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudfoundry-community%2Fsafe-boshrelease/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cloudfoundry-community","download_url":"https://codeload.github.com/cloudfoundry-community/safe-boshrelease/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudfoundry-community%2Fsafe-boshrelease/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279015339,"owners_count":26085685,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-13T02:00:06.723Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-10-13T13:47:27.106Z","updated_at":"2025-10-13T13:47:29.927Z","avatar_url":"https://github.com/cloudfoundry-community.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# safe-boshrelease - A Better Vault BOSH Release\n\nVault is a secure credentials storage system from Hashicorp.\n\nIt stands up a multi-homed Vault with Consul as a storage backend.\n\n## But Why Not Use The Vault BOSH Release?\n\nI have, and I do.  But it provides way more option than the\ntypical set up needs.  If that works for you and it makes you\nhappy, great.  I wanted something simpler and more opinionated.\n\n## How Does This Relate To The `safe` CLI for Vault?\n\n[safe][safe] has some built-in support for this particular BOSH\nrelease, by way of a thing called [`strongbox`][strongbox].  Primarily, the\nextra handy `safe unseal` and `safe seal` commands work _only_\nwith this BOSH release.\n\n## How Do I Deploy It?\n\nA sample manifest is available at `manifests/safe.yml`; it has\neverything you need to run a 3-node Vault.\n\n```\nbosh -e your-bosh-director -d safe deploy manifests/safe.yml\n```\n\nOnce Vault is running, you can use `safe` to initialize it:\n\n```\n$ safe target https://your.vault.ip some-alias -k\n$ safe init\nUnseal Key #1: G55lL0iDddspbNxthYPh0RtZb7cWENfJqm6ZhL9LrnkH\nUnseal Key #2: 7aGZ4af/dfnJBriYhDftcR6u6ck2iRW8VwY2Aooo4sAR\nUnseal Key #3: jcTn71H70++Uq9pkdSLNgoUVeq+h/rakHjzdBgBheTJx\nUnseal Key #4: 9SsFAO8nC7xGuL1nf+a1dK1+nsnkqJeHiCEeHgYcpP4L\nUnseal Key #5: J8hRCkXnWCx00kC8tyCiyKRxfULDhEGHd/fuO5bKuvxI\nInitial Root Token: fa6fc1dd-f70b-dbaf-165f-a95500523454\n\nVault initialized with 5 keys and a key threshold of 3. Please\nsecurely distribute the above keys. When the Vault is re-sealed,\nrestarted, or stopped, you must provide at least 3 of these keys\nto unseal it again.\n\nVault does not store the master key. Without at least 3 keys,\nyour Vault will remain permanently sealed.\n\nsafe has unsealed the Vault for you, and written a test value\nat secret/handshake.\n\nYou have been automatically authenticated to the Vault with the\ninitial root token.  Be safe out there!\n```\n\n**Note**: You will need safe v1.0.0 or higher, since this BOSH\nrelease now ships with Vault 1.0.2, and `safe init` from earlier\nversions are known to not work.\n\nThat's all there is to it!\n\n## Using the Vault Service Broker\n\nIf you want to deploy the [Vault Service Broker][sb] via BOSH, you\ncan add the BOSH ops file to your deploy:\n\n```\nbosh -e your-bosh-director -d safe deploy \\\n     manifests/safe.yml \\\n  -o manifests/ops/broker.yml \\\n  -v cf-api-url=\"...\" \\\n  -v cf-username=\"...\" \\\n  -v cf-password=\"...\" \\\n  -v cf-skip-ssl-validation=no \\\n  -v vault-token=\"...\" \\\n  -v vault-broker-guid=\"...\" \\\n  -v vault-broker-password=\"...\"\n```\n\nThe following variables must be specified:\n\n- **cf-api-url** - The full URL of the Cloud Foundry API.\n- **cf-username** - What username to sign into CF with.\n- **cf-password** - Password to use for authentication to CF.\n- **cf-skip-ssl-validation** - Whether or not to ignore SSL/TLS\n  certificate validation errors (expiration, subject mismatch,\n  etc.)  You probably want to set this to `no`.\n- **vault-token** - A root token for the broker to authenticate.\n- **vault-broker-guid** - Unique ID for the service broker to use\n  in its plan and service metadata.  Once the broker has been\n  registered with the CF marketplace, this should not change.\n- **vault-broker-password** - The password to require for\n  communication between CF and the Vault broker.\n\nOnce deployed, you can register the Vault service broker with\nCloud Foundry, and enable marketplace access to plans, via the\nregister-broker errand:\n\n```\nbosh -e your-bosh-director -d safe run-errand register-broker\n```\n\nNote: since you **must** supply a Vault token to the broker, you\nwill always have to deploy Vault without the broker component,\ninitialize and unseal, and _then_ re-deploy with the broker\nenabled.  Otherwise, the broker BOSH (monit) jobs will fail to\nstart up properly, and the deployment as a whole will fail.\n\n[safe]: https://github.com/starkandwayne/safe\n[sb]:   https://github.com/cloudfoundry-community/vault-broker\n[strongbox]: https://github.com/jhunt/go-strongbox\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudfoundry-community%2Fsafe-boshrelease","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcloudfoundry-community%2Fsafe-boshrelease","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudfoundry-community%2Fsafe-boshrelease/lists"}