{"id":26477939,"url":"https://github.com/external-secrets/vmes","last_synced_at":"2025-06-20T17:06:32.329Z","repository":{"id":103216685,"uuid":"444517708","full_name":"external-secrets/vmes","owner":"external-secrets","description":"External Secrets not necessarily in Kubernetes","archived":false,"fork":false,"pushed_at":"2022-02-21T12:06:03.000Z","size":100,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-03-20T00:58:33.262Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/external-secrets.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-01-04T18:05:32.000Z","updated_at":"2023-05-12T10:35:06.000Z","dependencies_parsed_at":"2023-06-29T01:01:30.678Z","dependency_job_id":null,"html_url":"https://github.com/external-secrets/vmes","commit_stats":{"total_commits":27,"total_committers":1,"mean_commits":27.0,"dds":0.0,"last_synced_commit":"aabfe336b21f87438b3502b518638f748b5948d9"},"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/external-secrets/vmes","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/external-secrets%2Fvmes","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/external-secrets%2Fvmes/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/external-secrets%2Fvmes/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/external-secrets%2Fvmes/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/external-secrets","download_url":"https://codeload.github.com/external-secrets/vmes/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/external-secrets%2Fvmes/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":260985150,"owners_count":23092883,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-03-20T00:58:38.167Z","updated_at":"2025-06-20T17:06:27.308Z","avatar_url":"https://github.com/external-secrets.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# vmes\n\nExternal Secrets not necessarily in Kubernetes.\n\nThis project uses [ESO](https://github.com/external-secrets/external-secrets) as a dependency and basicaly leverages its provider implementations to grab secrets and write them to an env file.\n\nThe initial need here is to run this project as a proccess on a VM that has some legacy applications, then we want to use secrets that are in a Secrets Manager. But we don't want to keep calling Secrets Managers from our applications, we want to just read values from env vars or env files.\n\nThere is a way to encrypt and decrypt data to hide secrets a bit more. We are still experimenting with it. The idea is that you should generate private and public keys and use vmes together with [saferun](https://github.com/ContainerSolutions/saferun) if you would like asymetric encryption in your machine. No changes are needed to apps reading env vars/env files.\n\n### Disclaimer ⚠️\n\nThis project is in early access stage. Use at your own discretion.\n\n# How it works\n\nSince we already implemented and tested multiple provider clients in the ESO project, we are just importing them here. Since we had some dependencies on Kubernetes resources for some of the configurations, we have built a client that just looks for yaml files locally instead of calling Kubernetes at all.\n\n# Getting Started\n\nCopy the example files provided to edit and configure them:\n\n```\ncp pkg/configdata/es.yml.example ~/.vmes/es.yml\ncp pkg/configdata/ss.yml.example ~/.vmes/ss.yml\n```\n\nOpen `~/.vmes/es.yml` and edit the following fields:\n\n- **spec.refreshInterval:** Choose a Time Duration interval used by the operator to fetch new secrets (1m = 1 minute, 1h = 1 hour, etc).\n- **spec.target.name:** Chose the env file where this will end up (default is /etc/environment - You need to run as root to write there).\n- **spec.data.secretKey:** The name of the Env Var injected in the machine.\n- **spec.data.remoteRef.Key:** The name of the secret in the external provider.\n\nOpen `~/.vmes/ss.yml` and edit the following fields:\n\n- **spec.provider.aws.region:** Choose region where you created a secret.\n- **spec.provider.aws.service:** Let us use SecretsManager for this example.\n- **spec.provider.aws.auth:** Keep everything here the same for this example.\n\n\nExport some credentials to be able to pull secrets:\n\n```\nexport AWS_ACCESS_KEY_ID=\"******\"\nexport AWS_SECRET_ACCESS_KEY=\"******\"\n```\n\nExport the version that you want to use:\n\n```\nexport VMES_VERSION=0.0.1\n```\n\nGet that release and put the executable in a directory in your PATH:\n\n```\nwget https://github.com/external-secrets/vmes/releases/download/${VMES_VERSION}/vmes_${VMES_VERSION}_linux_amd64.tar.gz\ntar -xvf vmes_${VMES_VERSION}_linux_amd64.tar.gz\nsudo cp vmes /usr/local/bin/\n```\n\nIf you are using vmes encryption and saferun, generate a key pair:\n\n```\nopenssl genrsa -out myuser.key 2048\nopenssl rsa -in myuser.key -out myuser.pub -pubout -outform PEM\n```\n\nTo run the installed release just call vmes anywhere (if you don't want asymmetric encryption, just omit `--public-key-path /home/youruser/.vmes/test.pub`):\n\n```\nvmes --config-path /home/youruser/.vmes --public-key-path /home/youruser/.vmes/test.pub\n```\n\nIf you want you can build the executable locally:\n\n```\ngo build\n```\n\nAnd run it (if you don't want asymmetric encryption, just omit `--public-key-path /home/youruser/.vmes/test.pub`):\n\n```\n./vmes --config-path /home/youruser/.vmes --public-key-path /home/youruser/.vmes/test.pub\n```\n\nTo get values in your app with saferun, you can use:\n\n```\n./bin/saferun run --private-key=test.key  --only-encrypted /bin/env\n\nor with your app\n\n./bin/saferun run --private-key=test.key  --only-encrypted /path/to/app\n```\n\nIf you are getting vars from /etc/environment and don't want to re-login to check you can run:\n\n```\nfor line in $( cat /etc/environment ) ; do export $line ; done\n```\n\n## Systemd config\n\nYou probably want to to run this tool as a service in a machine. For that you can create a Systemd unit file and let Systemd manage it. Run these commands:\n\n```\nsudo cat \u003e /etc/systemd/system/vmes.service \u003c\u003cEOF\n[Unit]\nDescription=vmes\nAfter=network.target\n\n[Service]\nType=idle\nUser=root\nGroup=keycloak\nExecStart=vmes --config-path /home/youruser/.vmes --public-key-path /home/youruser/.vmes/test.pub\nTimeoutStartSec=600\nTimeoutStopSec=600\n\n[Install]\nWantedBy=multi-user.target\nEOF\n\nsudo systemctl daemon-reload\nsudo systemctl start vmes\nsudo systemctl enable vmes\n```\n\n## Docs\n\nYou can find examples and other docs at [docs](docs)\n\n## Roadmap\n\n- [] Only AWS provider working for now, need to reimplement schema here or have another way to grab the right provider\n- [] Add option to use multiple public keys and multiple files to sink in (read more ESs)\n- [] Configure where secrets will sink in\n    - ✅ being a arbitraty file, \n    - [] exported directly as env vars, or something else.\n- ✅ Support assume role and other auth methods\n- [] Test setup\n- ✅ Provide a way to configure different paths for where yaml files could be\n- ✅ Integrate with saferun\n- ✅ Add option to enable/disable encryption (also adds/removes SAFE_RUN_ prefix to envs in source files)\n- [] Upgrade to new ESO CRDS\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fexternal-secrets%2Fvmes","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fexternal-secrets%2Fvmes","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fexternal-secrets%2Fvmes/lists"}