{"id":45549906,"url":"https://github.com/gites/vault-cert-helper","last_synced_at":"2026-02-23T05:06:07.954Z","repository":{"id":88513813,"uuid":"148313801","full_name":"gites/vault-cert-helper","owner":"gites","description":" Vault-cert-helper is a simple tool intended to help you provision certificates from on-premises Vault to services running in AWS and GCE (or any other S3 compatible cloud).","archived":false,"fork":false,"pushed_at":"2019-01-13T13:25:52.000Z","size":16,"stargazers_count":5,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"master","last_synced_at":"2024-11-17T22:35:06.613Z","etag":null,"topics":["aws","cert","gce","k8s","pki","vault"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/gites.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-09-11T12:29:19.000Z","updated_at":"2024-07-04T02:36:22.000Z","dependencies_parsed_at":null,"dependency_job_id":"e0dc8404-d9b6-4bac-9387-d33fc14367eb","html_url":"https://github.com/gites/vault-cert-helper","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/gites/vault-cert-helper","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gites%2Fvault-cert-helper","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gites%2Fvault-cert-helper/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gites%2Fvault-cert-helper/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gites%2Fvault-cert-helper/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/gites","download_url":"https://codeload.github.com/gites/vault-cert-helper/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gites%2Fvault-cert-helper/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29738083,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-23T04:51:08.365Z","status":"ssl_error","status_checked_at":"2026-02-23T04:49:15.865Z","response_time":90,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","cert","gce","k8s","pki","vault"],"created_at":"2026-02-23T05:06:07.064Z","updated_at":"2026-02-23T05:06:07.948Z","avatar_url":"https://github.com/gites.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# vault-cert-helper\n\nVault-cert-helper is a simple tool intended to help you provision certificates from on-premises Vault to services running in AWS and GCE (or any other S3 compatible cloud). \n\nThe service running in the cloud need to be able to fetch the certificate from S3. \n\nVault-cert-helper will watch if the certificate is older than a half of it's validity time and if so it will request a new one from Vault based on provided CSR and store it S3.\n\nThis tool is intended to be deployed as K8s CronJob but can be used as a standalone thing.\n\n\n# command line options\n\n```yaml\nUsage:\n  vault-cert-helper [OPTIONS]\n\nApplication Options:\n  -v, --verbose  Show verbose debug information\n  -V, --version  Show version information\n\nHelp Options:\n  -h, --help     Show this help message\n```\n\nBy default vault-cert-helper will look for a configuration file named `vault-cert-helper.yaml` in the following locations:\n- `$HOME`\n- `.`\n- `/config`\n\n# configuration file example - K8s ServiceAccount auth\n\n```yaml\n# https://github.com/minio/minio-go/blob/master/s3-endpoints.go#L22-L39\nendpoint: \"http://192.168.99.1:9000\"                    # endponit for s3 compatibile services\ns3SecretPath: \"kv/secret/path\"                          # secrets for accessing S3, only v1 Vault KV backend is supported (accessKeyID and secretAccessKey)\nauthMethod: \"sa\"                                        # sa - for K8s ServiceAccount, token - for token based\nauthRole: \"vch\"                                         # auth role used to login when using K8s ServiceAccount atuh method\nauthPath: \"auth/kubernetes/login\"                       # auth path endpoint in vault\nvault: \"https://192.168.99.1:8200\"                      # vault server uri\npkiPath: \"pki/sign/woop.sh\"                             # pki path\nttl: \"1m\"                                               # default ttl for reqested certs \ncaCert: \"/etc/ssl/certs/planet_express_ca.pem\"          # path to custom CA Cert file\npkiSpec:                                                # pki spec\n  woop:                                                 # custom name\n    csr: \"s3://some/long/name/woop.sh.csr\"              # path to CSR on S3 bucket\n    cert: \"s3://some/long/name/woop.sh.pem\"             # path to CERT on S3 bucket\n    ttl: \"1m\"                                           # ttl for that cert (overwrite default ttl)\n  zoidberg:\n    csr: \"s3://some/long/name/zoidberg.woop.sh.csr\"\n    cert: \"s3://some/long/name/zoidberg.woop.sh.pem\"\n  zoidberg2:\n    csr: \"s3://some/long/name/zoidberg2.woop.sh.csr\"\n    cert: \"s3://some/long/name/zoidberg2.woop.sh.pem\"\n    pkiPath: \"pki/sign/woop.sh\"                         # path to custom pki role\n```\n\n\n# configuration file example - Vault token\n```yaml\n# https://github.com/minio/minio-go/blob/master/s3-endpoints.go#L22-L39\nendpoint: \"http://192.168.99.1:9000\"                    # endponit for s3 compatibile services\ns3SecretPath: \"kv/secret/path\"                          # secrets for accessing S3, only v1 Vault KV backend is supported (accessKeyID and secretAccessKey)\nauthMethod: \"token\"                                     # sa - for K8s ServiceAccount, token - for token based  \ntoken: \"8cc8ddf5-063c-6a85-9971-7a50e9b72811\"           # vault token, can by also in env VAULT_TOKEN\nvault: \"https://192.168.99.1:8200\"                      # vault server uri\npkiPath: \"pki/sign/woop.sh\"                             # path to default pki role\nttl: \"1m\"                                               # default ttl for reqested certs \ncaCert: \"/etc/ssl/certs/planet_express_ca.pem\"          # path to custom CA Cert file\npkiSpec:                                                # pki spec\n  woop:                                                 # custom name\n    csr: \"s3://some/long/name/woop.sh.csr\"              # path to CSR on S3 bucket\n    cert: \"s3://some/long/name/woop.sh.pem\"             # path to CERT on S3 bucket\n    ttl: \"1m\"                                           # ttl for that cert (overwrite default ttl)\n  zoidberg:\n    csr: \"s3://some/long/name/zoidberg.woop.sh.csr\"\n    cert: \"s3://some/long/name/zoidberg.woop.sh.pem\"\n  zoidberg2:\n    csr: \"s3://some/long/name/zoidberg2.woop.sh.csr\"\n    cert: \"s3://some/long/name/zoidberg2.woop.sh.pem\"\n    pkiPath: \"pki/sign/woop.sh\"                         # path to custom pki role\n```\n\n# enviroment variables \n\n- all vault environment variables can be used https://www.vaultproject.io/docs/commands/index.html#environment-variables\n- each value in the config file can be overwritten by environment variable by using `VCH_` prefix and config field name. Variables name needs to be all uppercase.\n\n# example AWS S3 policy\n```json\n{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n        {\n            \"Sid\": \"VisualEditor0\",\n            \"Effect\": \"Allow\",\n            \"Action\": \"s3:GetObject\",\n            \"Resource\": [\n                \"arn:aws:s3:::some/long/name/woop.sh.csr\",\n                \"arn:aws:s3:::some/long/name/zoidberg.woop.sh.csr\",\n                \"arn:aws:s3:::some/long/name/zoidberg2.woop.sh.csr\",\n                \"arn:aws:s3:::some/long/name/\"\n            ]\n        },\n        {\n            \"Sid\": \"VisualEditor1\",\n            \"Effect\": \"Allow\",\n            \"Action\": [\n                \"s3:PutObject\",\n                \"s3:GetObject\"\n            ],\n            \"Resource\": [\n                \"arn:aws:s3:::some/long/name/woop.sh.pem\",\n                \"arn:aws:s3:::some/long/name/zoidberg.woop.sh.pem\",\n                \"arn:aws:s3:::some/long/name/zoidberg2.woop.sh.pem\",                \n                \"arn:aws:s3:::some/long/name/\"\n            ]\n        }\n    ]\n}\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgites%2Fvault-cert-helper","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgites%2Fvault-cert-helper","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgites%2Fvault-cert-helper/lists"}