{"id":13563613,"url":"https://github.com/hashicorp/vault-secrets-operator","last_synced_at":"2025-05-14T20:09:08.581Z","repository":{"id":148848403,"uuid":"566485695","full_name":"hashicorp/vault-secrets-operator","owner":"hashicorp","description":"The Vault Secrets Operator (VSO) allows Pods to consume Vault secrets natively from Kubernetes Secrets.","archived":false,"fork":false,"pushed_at":"2025-05-08T03:29:14.000Z","size":3417,"stargazers_count":519,"open_issues_count":129,"forks_count":120,"subscribers_count":26,"default_branch":"main","last_synced_at":"2025-05-08T04:27:43.876Z","etag":null,"topics":["hashicorp","hashicorp-vault","kubernetes","kubernetes-secrets","operators","vault"],"latest_commit_sha":null,"homepage":"https://hashicorp.com","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hashicorp.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2022-11-15T19:20:02.000Z","updated_at":"2025-05-02T18:45:00.000Z","dependencies_parsed_at":"2023-09-22T07:33:03.179Z","dependency_job_id":"ae6f9d2a-5611-4585-b0ee-42d4a27dacf0","html_url":"https://github.com/hashicorp/vault-secrets-operator","commit_stats":null,"previous_names":[],"tags_count":26,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hashicorp%2Fvault-secrets-operator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hashicorp%2Fvault-secrets-operator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hashicorp%2Fvault-secrets-operator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hashicorp%2Fvault-secrets-operator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hashicorp","download_url":"https://codeload.github.com/hashicorp/vault-secrets-operator/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254219374,"owners_count":22034397,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hashicorp","hashicorp-vault","kubernetes","kubernetes-secrets","operators","vault"],"created_at":"2024-08-01T13:01:21.384Z","updated_at":"2025-05-14T20:09:08.557Z","avatar_url":"https://github.com/hashicorp.png","language":"Go","funding_links":[],"categories":["Go","Secret Management"],"sub_categories":[],"readme":"# Vault Secrets Operator\n\nThe Vault Secrets Operator (VSO) allows Pods to consume Vault secrets natively from Kubernetes Secrets.\n\n## Overview\n\nThe Vault Secrets Operator operates by watching for changes to its supported set of Custom Resource Definitions (CRD).\nEach CRD provides the specification required to allow the *Operator* to synchronize a Vault Secrets to a Kubernetes Secret.\nThe *Operator* writes the *source* Vault secret data directly to the *destination* Kubernetes Secret, ensuring that any\nchanges made to the *source* are replicated to the *destination* over its lifetime. In this way, an application only needs\nto have access to the *destination* secret in order to make use of the secret data contained within.\n\nSee the developer docs for more info [here](https://developer.hashicorp.com/vault/docs/platform/k8s/vso)\n\n### Features\n\nThe following features are supported by the Vault Secrets Operator:\n\n- All Vault secret engines supported.\n- TLS/mTLS communications with Vault.\n- Authentication using the requesting `Pod`'s `ServiceAccount` via the [Kubernetes Auth Method](https://developer.hashicorp.com/vault/docs/auth/kubernetes)\n- Syncing Vault Secrets to Kubernetes Secrets.\n- Secret rotation for `Deployment`, `ReplicaSet`, `StatefulSet` Kubernetes resource types.\n- Prometheus' instrumentation for monitoring the *Operator*\n- Supported installation methods: `Helm`, `Kustomize`\n\n## Samples\n\nSetup kubernetes and deploy the samples:\n\n```shell\n# Start a KinD cluster\nmake setup-kind\n\n# Deploy Vault\nmake setup-integration-test\n\n# Configure Vault\n./config/samples/setup.sh\n\n# Build and deploy the operator\nmake build docker-build deploy-kind\n\n# Deploy the sample K8s resources\nkubectl apply -k config/samples\n```\n\nInspect the resulting secrets:\n\n```shell\nkubectl get secrets -n tenant-1 secret1 -o yaml\n\nkubectl get secrets -n tenant-1 pki1 -o yaml\n\nkubectl get secrets -n tenant-2 secret1 -o yaml\n```\n\nDelete the samples:\n\n```shell\nkubectl delete -k config/samples\n```\n\n### Ingress TLS with VaultPKISecret\n\nThe file `config/samples/secrets_v1beta1_vaultpkisecret_tls.yaml` contains an\nexample of using VaultPKISecret to populate a TLS secret for use with an\nIngress. This sample takes a little more setup to test it out (derived from the\n[kind docs](https://kind.sigs.k8s.io/docs/user/ingress/)).\n\nThe TLS example is part of the samples, so setup kind, configure Vault, and\ndeploy the operator as described above.\n\nThen deploy the nginx ingress controller:\n\n```shell\nkubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml\n\nkubectl wait --namespace ingress-nginx \\\n  --for=condition=ready pod \\\n  --selector=app.kubernetes.io/component=controller \\\n  --timeout=90s\n```\n\nCheck the deployed app with something like curl, it should return the `tls-app`\nhostname, and the certificate should have a ~1.5m TTL:\n\n```shell\n$ curl -k https://localhost:38443/tls-app/hostname\ntls-app\n\n$ curl -kvI https://localhost:38443/tls-app/hostname\n...\n* Server certificate:\n*  subject: CN=localhost\n*  start date: Mar 17 05:53:28 2023 GMT\n*  expire date: Mar 17 05:54:58 2023 GMT\n*  issuer: CN=example.com\n...\n```\n\nWatch the nginx controller logs to see the TLS secret being rotated:\n\n```shell\nkubectl logs -f -n ingress-nginx -l app.kubernetes.io/instance=ingress-nginx\n```\n\n## Tests\n\n### Unit Tests\n\n```shell\nmake test\n```\n\n### Integration Tests\n\n```shell\n# Start a KinD cluster\nmake setup-kind\n\n# Build the operator binary, image, and deploy to the KinD cluster\nmake ci-build ci-docker-build ci-deploy-kind ci-deploy\n\n# Run the integration tests (includes Vault deployment)\nmake integration-test\n```\n\n### Integration Tests in EKS\n\n```shell\n# Create an EKS cluster and a ECR repository\nmake -f aws.mk create-eks\n\n# Build the operator image and run the integration tests (includes Vault Community deployment)\nmake -f aws.mk build-push integration-test-eks\n\n# Run the integration tests (includes Vault ent deployment, have the Vault license as environment variable)\nmake -f aws.mk build-push integration-test-eks VAULT_ENTERPRISE=true ENT_TESTS=true\n```\n\n#### AWS auth test with static credentials\n\n```shell\n# Set SKIP_AWS_STATIC_CREDS_TEST=false and set the credentials for the static creds user via the environment variables TEST_AWS_ACCESS_KEY_ID,\n# TEST_AWS_SECRET_ACCESS_KEY, TEST_AWS_STATIC_CREDS_ROLE (and TEST_AWS_SESSION_TOKEN if applicable) for a user in AWS.\n# Note: these credentials will be set in a Kubernetes secret.\nexport TEST_AWS_ACCESS_KEY_ID=\"...\"\nexport TEST_AWS_SECRET_ACCESS_KEY=\"...\"\nexport TEST_AWS_SESSION_TOKEN=\"...\"\nexport AWS_STATIC_CREDS_ROLE=\"arn:aws:iam::...\"\nmake -f aws.mk integration-test-eks TESTARGS=\"-run TestVaultAuth\" SKIP_AWS_STATIC_CREDS_TEST=false\n```\n\n### Integration Tests in GKE\n\n```shell\n# Export the Google Cloud project id\nexport GCP_PROJECT=\"\u003cproject_id\u003e\"\n\n# Create an GKE cluster and a GAR repository\nmake -f gcp.mk create-gke\n\n# Build \u0026 operator image \u0026 run the integration tests (includes Vault Community deployment)\nmake -f gcp.mk build-push integration-test-gke\n\n# Run the integration tests (includes Vault ent deployment, have the Vault license as environment variable)\nmake -f gcp.mk build-push integration-test-gke VAULT_ENTERPRISE=true ENT_TESTS=true\n```\n\n### Integration Tests in AKS\n\n```shell\n# Export the Azure credentials\naz config set core.allow_broker=true \u0026\u0026 az account clear \u0026\u0026 az login\naz account set --subscription \"\u003csubscription_id\u003e\"\naz ad sp create-for-rbac --name \"vault-secrets-operator\" --role \"Owner\" --scopes /subscriptions/\u003csubscription_id\u003e --output json\nexport AZURE_APPID=\"\u003capp_id\u003e\"\nexport AZURE_PASSWORD=\"\u003cpassword\u003e\"\nexport AZURE_TENANT=\"\u003ctenant_id\u003e\"\n\n# Create an AKS cluster and a ACR repository\nmake -f azure.mk create-aks\n\n# Build  the operator image and run the integration tests (includes Vault Community deployment)\nmake -f azure.mk build-push integration-test-aks\n\n# Run the integration tests (includes Vault ent deployment, have the Vault license as environment variable)\nmake -f azure.mk build-push integration-test-aks VAULT_ENTERPRISE=true ENT_TESTS=true\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhashicorp%2Fvault-secrets-operator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhashicorp%2Fvault-secrets-operator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhashicorp%2Fvault-secrets-operator/lists"}