{"id":37099270,"url":"https://github.com/cloudwatt/kubernetes-flexvolume-vault-plugin","last_synced_at":"2026-01-14T12:03:52.255Z","repository":{"id":57663844,"uuid":"112181808","full_name":"cloudwatt/kubernetes-flexvolume-vault-plugin","owner":"cloudwatt","description":null,"archived":false,"fork":true,"pushed_at":"2018-05-17T15:38:35.000Z","size":6944,"stargazers_count":2,"open_issues_count":0,"forks_count":1,"subscribers_count":7,"default_branch":"master","last_synced_at":"2024-06-20T03:41:20.316Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":"fcantournet/kubernetes-flexvolume-vault-plugin","license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cloudwatt.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-11-27T10:26:20.000Z","updated_at":"2024-06-20T03:41:20.317Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/cloudwatt/kubernetes-flexvolume-vault-plugin","commit_stats":null,"previous_names":[],"tags_count":11,"template":false,"template_full_name":null,"purl":"pkg:github/cloudwatt/kubernetes-flexvolume-vault-plugin","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudwatt%2Fkubernetes-flexvolume-vault-plugin","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudwatt%2Fkubernetes-flexvolume-vault-plugin/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudwatt%2Fkubernetes-flexvolume-vault-plugin/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudwatt%2Fkubernetes-flexvolume-vault-plugin/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cloudwatt","download_url":"https://codeload.github.com/cloudwatt/kubernetes-flexvolume-vault-plugin/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudwatt%2Fkubernetes-flexvolume-vault-plugin/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28419277,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T10:47:48.104Z","status":"ssl_error","status_checked_at":"2026-01-14T10:46:19.031Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-01-14T12:03:51.655Z","updated_at":"2026-01-14T12:03:52.251Z","avatar_url":"https://github.com/cloudwatt.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Build Status](https://travis-ci.org/cloudwatt/kubernetes-flexvolume-vault-plugin.svg?branch=master)](https://travis-ci.org/cloudwatt/kubernetes-flexvolume-vault-plugin)\n\n# What is this ?\n\nThis project is an implementation of the flexvolume kubernetes plugin to inject a scoped vault token inside pods at startup so they can get their secrets, via consul-template for instance.\nThis is a fork from https://github.com/fcantournet/kubernetes-flexvolume-vault-plugin\n\n# How do I build it ?\n\nJust run `make` ( or ` go build -o whatever .` where `whatever` is the name you want the binary to have )\nBy default the name of the binary is `vaulttmpfs`\nAll dependencies are vendored under `/vendor` with glide and commited, so you can build with just the go toolchain..\n\nYou can also `go get github.com/cloudwatt/kubernetes-flexvolume-vault-plugin`\n\n# How does it work ?\n\nIt creates a tmpfs volume and mounts it at a path specify by the kubelet.\nInside the volume are 2 files with a configurable _basename_:\n- `basename` that contains the raw wrapped vault token.\n- `basename.json` that contains the full response from vault at token creation time (includes some vault metadata)\n\nMultiple options can be provided to the plugin via stdin by the kubelet (cf. flexvolume documentation)\n\n| Option | Default | Description |\n|-----------------------------------|------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------|\n| `vault/policies` | \"\" | The policies scoped to the token. |\n| `vault/unwrap` | \"false\" | Provides an unwrapped token. |\n| `vault/role` | \"`$VAULTTMPFS_DEFAULT_ROLE_NAME`\" | The default role in auth/token against which the tokens will be created. |\n| `vault/filePermissions` | \"0644\" | Generated token files permissions |\n\n\nThe binary generated by the project must be present on the node in at a specific path under the directory specified to the kubelet by the flag `--volume-plugin-dir` (cf. kubelet flexvolume documentation)\nBy default : `$VOLUME_PLUGIN_DIR/exec/cloudwatt~vaulttmpfs/vaulttmpfs`\n\nThen you can refer to this volume in a pod like so :\n\n```yaml\napiVersion: v1\nkind: Pod\nmetadata:\n name: demo\nspec:\n containers:\n - name: nginx\n image: nginx\n ports:\n - containerPort: 80\n volumeMounts:\n - name: secret\n mountPath: /crazy\n dnsPolicy: Default\n volumes:\n - name: secret\n flexVolume:\n driver: \"cloudwatt/vaulttmpfs\"\n fsType: \"tmpfs\"\n options:\n vault/policies: \"nginx\"\n vault/filePermissions: \"0640\"\n```\n\nBy default vault tokens are created against the `applications` role (set by `VAULTTMPFS_DEFAULT_ROLE_NAME`).\nA different role can be passed via stdin option per token.\n\nThe vault token given to this plugin (set by `VAULTTMPFS_GENERATOR_TOKEN_PATH`) must have the necessary policies to create other tokens against the wanted roles.\ne.g : If the *application_role* is `nginx` then the policy should give write access to `auth/token/create/nginx`\n\nExamples of policies and roles are given in `examples/`. Please refer to the [vault api documentation](https://www.vaultproject.io/api/auth/token/index.html#create-update-token-role)\n\n# Configuration\n\nSince the kubelet runs the plugin with a fixed set of arguments we can't pass configuration via flags in the command line.\nWe therefore use environment variables. The process inherits all the environment from the kubelet.\n\nThe plugin supports some the standard `vault` environment variables [as defined here](https://www.vaultproject.io/docs/commands/environment.html) (it calls `config.ReadEnvironment()`)\nThis means that all the defaults for these are set by Vault and the default value specified in the table below are subject to being FALSE\n (althought you should probably never use default values)\nVault loads system's CAs by default, but you can specifiy a custom CA certificate with `VAULT_CACERT` or `VAULT_CAPATH`.\n\nAdditionally we have variables to configure settings external to vault. These are prefixed with `VAULTTMPFS_` so as to not conflict with anything else.\n\n(non-exhaustive) Table of supported configuration variables :\n\n| Environment Variable | default | Description |\n|-----------------------------------|----------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------|\n| `VAULTTMPFS_GENERATOR_TOKEN_PATH` | /etc/kubernetes/vaulttoken | The path to load the token used by this service from. |\n| `VAULTTMPFS_TOKEN_FILENAME` | vault-token | The name of the file in the created volume that will contain the wrapped token |\n| `VAULTTMPFS_DEFAULT_ROLE_NAME` | applications | The default role in auth/token against which the tokens will be created |\n| `VAULT_ADDR` | https://127.0.0.1:8200 | The vault server URL |\n| `VAULT_TLS_SERVER_NAME` | \"\" | If set, use the given name as the SNI host when connecting via TLS. |\n| `VAULT_WRAP_TTL` | 5m | TTL of the wrapped Token inserted in the volume. |\n| `VAULT_MAX_RETRY` | 2 | The maximum number of retries when a 5xx error code is encountered. Default is 2, for three total tries; set to 0 or less to disable retrying |\n\n\n# Bootstrap\n\nThere is an helper command to bootstrap a node with a token for the token generator policy.\nIt supports 2 authentification methods : interactive LDAP auth (needs to be configured and activated in vault), or that you have (root) `VAULT_TOKEN` set in the environment.\njust run : `vaulttmpfs bootstrap`\n\nYou need to have VAULT_ADDR set as an environment variable\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudwatt%2Fkubernetes-flexvolume-vault-plugin","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcloudwatt%2Fkubernetes-flexvolume-vault-plugin","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudwatt%2Fkubernetes-flexvolume-vault-plugin/lists"}