{"id":24973404,"url":"https://github.com/finleap-connect/vaultoperator","last_synced_at":"2025-10-07T19:49:56.198Z","repository":{"id":37096512,"uuid":"459563057","full_name":"finleap-connect/vaultoperator","owner":"finleap-connect","description":"VaultOperator provides a CRD to interact securely and indirectly with secrets stored in Hashicorp Vault.","archived":false,"fork":false,"pushed_at":"2023-04-23T09:57:49.000Z","size":461,"stargazers_count":3,"open_issues_count":11,"forks_count":1,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-09-10T05:25:25.279Z","etag":null,"topics":["devops","kubernetes","secrets","security","vault"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/finleap-connect.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-02-15T12:09:59.000Z","updated_at":"2022-03-12T13:12:20.000Z","dependencies_parsed_at":"2024-06-20T02:54:14.753Z","dependency_job_id":"31cb620f-1dce-40ec-9d46-ec7e2d573d7d","html_url":"https://github.com/finleap-connect/vaultoperator","commit_stats":null,"previous_names":[],"tags_count":19,"template":false,"template_full_name":null,"purl":"pkg:github/finleap-connect/vaultoperator","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/finleap-connect%2Fvaultoperator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/finleap-connect%2Fvaultoperator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/finleap-connect%2Fvaultoperator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/finleap-connect%2Fvaultoperator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/finleap-connect","download_url":"https://codeload.github.com/finleap-connect/vaultoperator/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/finleap-connect%2Fvaultoperator/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278838019,"owners_count":26054720,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-07T02:00:06.786Z","response_time":59,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["devops","kubernetes","secrets","security","vault"],"created_at":"2025-02-03T18:59:15.500Z","updated_at":"2025-10-07T19:49:56.180Z","avatar_url":"https://github.com/finleap-connect.png","language":"Go","readme":"# `vault-operator`\n\n[![Build status](https://github.com/finleap-connect/vaultoperator/actions/workflows/golang.yaml/badge.svg)](https://github.com/finleap-connect/vaultoperator/actions/workflows/golang.yaml)\n[![Coverage Status](https://coveralls.io/repos/github/finleap-connect/vaultoperator/badge.svg?branch=main)](https://coveralls.io/github/finleap-connect/vaultoperator?branch=main)\n[![Go Report Card](https://goreportcard.com/badge/github.com/finleap-connect/vaultoperator)](https://goreportcard.com/report/github.com/finleap-connect/vaultoperator)\n[![Go Reference](https://pkg.go.dev/badge/github.com/finleap-connect/vaultoperator.svg)](https://pkg.go.dev/github.com/finleap-connect/vaultoperator)\n[![GitHub release](https://img.shields.io/github/release/finleap-connect/vaultoperator.svg)](https://github.com/finleap-connect/vaultoperator/releases)\n\nThe `vault-operator` provides several CRDs to interact securely and indirectly with secrets.\n\n## Quick start\n\nAdd the helm repository to your list of repos:\n\n```bash\n$ helm repo add finleap-connect https://finleap-connect.github.io/charts/\n$ helm repo update\n```\n\nExecute the following to get the complete list of values available:\n\n```bash\nhelm show values finleap-connect/vault-operator --version \u003cVERSION\u003e\n```\n\nConfigure at least the following settings within your `values.yaml` :\n```yaml\n# Configure Vault connection\nvault:\n  addr: \"\" # Required address of Vault\n  tls:\n    secretName: \"\" # Required secret containing CA to access Vault\n  credentials:\n    secretName: \"\" # Required secret containing AppRole credentials as fields VAULT_ROLE_ID and VAULT_SECRET_ID, see https://www.vaultproject.io/docs/auth/approle\n  namespace: \"\" # Optional Vault namespace to connect to\n\n# Set which secret engines are allowed to access namespaced\nallowedSecretEngines:\n  - app\n\n# Set which paths in Vault are allowed to be accessed from any namespace\nsharedPaths:\n  - shared\n```\n\nInstall VaultOperator with the following command:\n\n```bash\n$ helm install finleap-connect/vault-operator --name myrealease --version \u003cVERSION\u003e --values values.yaml\n```\n\n## Details\n\nCurrently only _stage 1_ is implemented, which includes the `VaultSecret`-CRD.\n\nFor future feature and planning refer to [DESIGN.md](./DESIGN.md).\n\n### `VaultSecret`\n\nTo give indirect control over secrets the `VaultSecret` can be used. For each\nfield name in a `Secret` it refers to a location in _vault_ and will pull the data and write it to the secret.\n\nIf the data in _vault_ does _not_ exist, it will be created if a `generator` is\nprovided. Currently several generators are implemented:\n\n* `string` generates a random string with length `args[0]`\n* `bytes` generates random bytes with length `args[0]`\n* `password` special form of string generations where `args[0]` is the length and is mandatory. `args[1]` optionally specifies the number of digits and `args[2]` optionally defines the number of symbols.\n* `rsa` generates RSA private key with bit size `args[0]` (encoded as PEM)\n* `ecdsa` generates EC private key with curve `args[0]` (encoded as PEM)\n\nLocations in the vault are given by the `path` and the `field` within the entry.\nOptionally the version of the entry may be given. This is only valid if the secret\nengine of the entry is of the type `KV v2`. To ensure reproducable deployments, \nthe version number should be set when ever possible.\n\nFurthermore simplified permission control exists. Every `VaultSecret` can access\nshared spaces which can be configured via the Helm Chart, but otherwise only namespaced sub-paths\nare permitted, e.g. `VaultSecret` in `mynamespace` can access `app/mynamespace`.\n\nExample:\n\n```yaml\napiVersion: vault.finleap.cloud/v1alpha1\nkind: VaultSecret\nmetadata:\n  name: myvaultsecret\n  namespace: mynamespace\nspec:\n  secretName: name-of-generated-secret  # optional, default it is the same as the name of the VaultSecret\n  secretLabels: # optional, specify labels for the managed secret\n    foo: bar\n  data: # optional if dataFrom is specified\n  - name: something\n    generator: # optional\n      name: \"string\"\n      args: [16]\n    location: # required, if variables and template not provided\n      path: app/test/foo\n      field: bar\n  - name: morecomplex\n    variables: # required, if location not provided\n    - name: \"test\"\n      location:\n        path: app/test/fizz\n        field: buzz\n        isBinary: 1 # optional\n        version: 1 # optional\n      generator: # optional same as above\n    template: |- # required if location not provided\n      asdasd {{.test}}\n  dataFrom: # optional if data is specified, gets all fields under a given vault path\n  - path: app/test/bar\n    version: 1 #optional\n    collisionStrategy: \"Error\" #optional\n    # Valid values are:\n    # - \"Error\" (default): Errors if a field on this vault secret already exists on the resulting K8s secret\n    # - \"Ignore\": Value from this vault secret will be ignored if the same field already exists on resulting K8s secret\n    # - \"Overwrite\": Value from this vault secret will override an already existing field on the resulting K8s secret\n  - path: app/test/bazz\n    version: 1 #optional\n    collisionStrategy: \"Overwrite\" #optional\n```\n\n#### Special cases\n\n1. If the VaultSecret only contains a single data element with the name `.dockerconfigjson`,\nthe created secret will have the type `kubernetes.io/dockerconfigjson` instead of `Opaque`.\n2. When using a generator it is not allowed to set a fixed version. Renewal for generated secrets is an ongoing discussion. The generator will only run if the concrete field in the secret does not yet exist in vault.\n3. If `dataFrom` is used, multiple paths in vault can be specified and all fields of the paths in vault will be joined in one secret. As collisions can occure, it is possible to define the strategy how to handle these. The default strategy is `Error`.\n\n## Development\n\nThis project utilizes [kubebuilder](https://github.com/kubernetes-sigs/kubebuilder)\nand therefore please refer to its [documentation](https://github.com/kubernetes-sigs/kubebuilder/blob/master/designs/simplified-scaffolding.md) to understand the scaffolding (there\nare significant differences to the [standard layout](https://github.com/golang-standards/project-layout)).\n\n### Prerequisites\n\nThe test suite needs the kubebuilder assets. If they are not installed in the default\npath make sure to set `KUBEBUILDER_ASSETS` before running tests.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffinleap-connect%2Fvaultoperator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffinleap-connect%2Fvaultoperator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffinleap-connect%2Fvaultoperator/lists"}