{"id":21659212,"url":"https://github.com/kviklet/kviklet","last_synced_at":"2026-02-28T22:10:35.167Z","repository":{"id":203076497,"uuid":"687049294","full_name":"kviklet/kviklet","owner":"kviklet","description":"Pull Request-like Review/Approval flow for database queries. For compliant but smooth Engineering access to production.","archived":false,"fork":false,"pushed_at":"2026-02-27T07:18:54.000Z","size":8684,"stargazers_count":585,"open_issues_count":40,"forks_count":31,"subscribers_count":7,"default_branch":"main","last_synced_at":"2026-02-27T12:07:50.677Z","etag":null,"topics":["cyber-security","cybersecurity","database","database-access","devops","kubernetes","mssql","mysql","pam","postgresql","sql-server"],"latest_commit_sha":null,"homepage":"https://kviklet.dev","language":"Kotlin","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kviklet.png","metadata":{"files":{"readme":"Readme.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2023-09-04T13:49:22.000Z","updated_at":"2026-02-27T07:18:56.000Z","dependencies_parsed_at":"2023-11-10T14:42:41.538Z","dependency_job_id":"d38304c0-2d47-4a33-b02c-a6c55dcc1856","html_url":"https://github.com/kviklet/kviklet","commit_stats":null,"previous_names":["ops-gate/opsgate","kviklet/kviklet"],"tags_count":14,"template":false,"template_full_name":null,"purl":"pkg:github/kviklet/kviklet","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kviklet%2Fkviklet","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kviklet%2Fkviklet/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kviklet%2Fkviklet/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kviklet%2Fkviklet/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kviklet","download_url":"https://codeload.github.com/kviklet/kviklet/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kviklet%2Fkviklet/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29953212,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-28T18:42:55.706Z","status":"ssl_error","status_checked_at":"2026-02-28T18:42:48.811Z","response_time":90,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cyber-security","cybersecurity","database","database-access","devops","kubernetes","mssql","mysql","pam","postgresql","sql-server"],"created_at":"2024-11-25T09:30:40.414Z","updated_at":"2026-02-28T22:10:35.143Z","avatar_url":"https://github.com/kviklet.png","language":"Kotlin","readme":"# Kviklet\n\n[Kviklet.dev](https://kviklet.dev) | [Release Notes](https://github.com/kviklet/kviklet/releases)\n\nSecure access to production environments without impairing developer productivity.\n\n![Kviklet](images/ExecutedRequest_light.png#gh-light-mode-only)\n![Kviklet](images/ExecutedRequest_dark.png#gh-dark-mode-only)\n\nKviklet (pronounced Quick-let) embraces the **Four-Eyes Principle** and a high level of configurability to allow a **Pull Request-like Review and Approval** flow for individual SQL statements or Database sessions. This allows engineering teams to self regulate on who gets access to what data and when, allowing organizations to stay secure and compliant while embracing modern, empowering and truly \"DevOps\" workflows.\n\nKviklet is a self hosted docker container, that provides you with a Single Page Web app. Login to create SQL requests or approve the ones of others.\n\nWe currently support **Postgres**, **MySQL**, **MS SQL Server** and **MongoDB**.\n\n## Features\n\nKviklet ships with a variety of features that an engineering team needs to manage their production database access in a **simple but secure** manner:\n\n- **SSO (OIDC, Google, Keycloak, etc.)**: Log into Kviklet without the need for a username or password. No more shared credentials for DB access.\n- **LDAP Support**: Log into Kviklet with your LDAP credentials.\n- **SAML Support**: Log into Kviklet with your SAML credentials. (Enterprise only)\n- **Review/Approval Flow**: Leave Comments and Suggestions on other developers data requests.\n- **Temporary Access (1h)**: Execute any statement on a db for 1h after having been approved\n- **Single Query**: Execute a singular statement. Allows the reviewer to review your query before execution.\n- **Auditlog**: Singular plane that logs all executed statements with Author, reason for execution etc.\n- **RBAC**: Configure which team has access to which database/table to as fine of a granularity as the DB Engine allows.\n- **Postgres Proxy**: Start a proxy server to use the DB Client of your choice, but everything will be stored in the Kviklet Auditlog.\n- **Kubernetes Exec**: Execute a statement on a pod in your kubernetes cluster. (Currently only supports Execution of a single command no live session yet)\n\n## Feature by Database/Connection Type\n\nMost features are available for all databases (SSO, LDAP, RBAC, Review/Approval Flow, Auditlog, etc.). But some features are restricted, either because it simply hasn't been built yet or because it makes no sense for that specific purpose. The following table shows which features are available for which database type:\n\n| Database   | Statement Review | Temporary Access | Proxy(Beta) | Explain Plan |\n| ---------- | ---------------- | ---------------- | ----------- | ------------ |\n| Postgres   | \u0026check;          | \u0026check;          | \u0026check;     | \u0026check;      |\n| MySQL      | \u0026check;          | \u0026check;          | \u0026cross;     | \u0026check;      |\n| MariaDB    | \u0026check;          | \u0026check;          | \u0026cross;     | \u0026check;      |\n| SQL Server | \u0026check;          | \u0026check;          | \u0026cross;     | \u0026check;      |\n| MongoDB    | \u0026check;          | \u0026check;          | \u0026cross;     | \u0026cross;      |\n| Kubernetes | \u0026check;          | \u0026cross;          | \u0026cross;     | \u0026cross;      |\n\n## Setup\n\nKviklet ships as a simple docker container.\nYou can find the available versions under [Releases](https://github.com/kviklet/kviklet/releases). We recommend regularly updating the version you are using as we continue to build new features.  \nThe latest one currently is `ghcr.io/kviklet/kviklet:0.5.1`, you can also use `:main` but it might happen every now and then that we accidentally merge something buggy. Though we try to avoid that.\n\n### Quick Start\n\nIf you just want to try out how it works:\n\n1. Here is a minimal docker-compose.yaml:\n   \u003cdetails\u003e\n   \u003csummary\u003e Click to expand compose content \u003c/summary\u003e\n\n   ```\n   services:\n     postgres:\n       image: postgres:16\n       restart: always\n       environment:\n         POSTGRES_USER: postgres\n         POSTGRES_PASSWORD: postgres\n         POSTGRES_DB: postgres\n       ports:\n         - \"5432:5432\"\n       volumes:\n         - ./postgres-data:/var/lib/postgresql/data\n   #      - ./sample_data.sql:/docker-entrypoint-initdb.d/init.sql\n\n     kviklet-postgres:\n       image: postgres:16\n       restart: always\n       environment:\n         POSTGRES_USER: postgres\n         POSTGRES_PASSWORD: postgres\n         POSTGRES_DB: kviklet\n       ports:\n         - \"5433:5432\"\n       volumes:\n         - ./kviklet-postgres-data:/var/lib/postgresql/data\n\n     kviklet:\n       image: ghcr.io/kviklet/kviklet:main\n       ports:\n         - \"80:8080\"\n       environment:\n         - SPRING_DATASOURCE_URL=jdbc:postgresql://kviklet-postgres:5432/kviklet\n         - SPRING_DATASOURCE_USERNAME=postgres\n         - SPRING_DATASOURCE_PASSWORD=postgres\n         - INITIAL_USER_EMAIL=admin@admin.com\n         - INITIAL_USER_PASSWORD=admin\n       depends_on:\n         - kviklet-postgres\n   ```\n\n   \u003c/details\u003e\n\n2. Run the `docker-compose.yml` via `docker-compose up -d`. Kviklet will spin up on port 80, go to `localhost` and play around. The admin login is admin@admin.com with `admin` as password.\n\n3. The docker-compose contains an extra postgres database for which you can setup a connection in Kviklet. To make this database contain some data, uncomment this line:\n\n   ```\n         - ./sample_data.sql:/docker-entrypoint-initdb.d/init.sql\n   ```\n\n   And create a sample_data.sql file:\n\n   \u003cdetails\u003e\n   \u003csummary\u003e Click to expand sample_data.sql content \u003c/summary\u003e\n\n   ```sql\n   CREATE TABLE Locations (\n       Name VARCHAR(100) NOT NULL,\n       Address VARCHAR(255) NOT NULL,\n       City VARCHAR(100) NOT NULL,\n       Country VARCHAR(100) NOT NULL,\n       PostalCode VARCHAR(20) NOT NULL\n   );\n\n   alter table public.Locations\n       owner to postgres;\n\n   INSERT INTO public.Locations (Name, Address, City, Country, PostalCode) VALUES\n   ('Central Park', '59th to 110th St', 'New York', 'USA', '10022'),\n   ('Eiffel Tower', 'Champ de Mars, 5 Avenue Anatole', 'Paris', 'France', '75007'),\n   ('Colosseum', 'Piazza del Colosseo, 1', 'Rome', 'Italy', '00184'),\n   ('Sydney Opera House', 'Bennelong Point', 'Sydney', 'Australia', '2000'),\n   ('Great Wall of China', 'Huairou District', 'Beijing', 'China', '101405');\n   ```\n\n   \u003c/details\u003e\n\n### DB Setup\n\nKviklet needs it's own postgres database (or at least schema) to save metadata about queries, connections, approvals, etc.\nYou can find their official image here: https://hub.docker.com/_/postgres, or use a cloud hosted version by your cloud provider of choice.\n\nWhen starting the kviklet container you will then need to set these three environment variables accordingly:\n\n```\nSPRING_DATASOURCE_PASSWORD = password\nSPRING_DATASOURCE_USERNAME = username\nSPRING_DATASOURCE_URL = jdbc:postgresql://[host]:[port]/[database]?currentSchema=[schema]\n```\n\n#### Alternative Authentication methods\n\n- **IAM Auth:**\n  It is possible to use AWS IAM Auth for the database connection, in which case you simply omit the password and just set the username.\n  You also have to set the env var:\n\n  ```\n  SPRING_DATASOURCE_IAMAUTH=true\n  ```\n\n  Kviklet will load credentials from the usual places (env vars, instance roles, etc.) and generate a token for the connection.\n\n- **Certificates:**\n  You can also use certificates for the db connection, see [here](examples/certificates) for an example.\n\n### Initial User\n\nYou will need an intial admin user for configuration purposes. For this set the 2 env variables:\n`INITIAL_USER_EMAIL` and `INITIAL_USER_PASSWORD` so that you can login into the web interface. You can change the password afterwards via the UI.  \nExample:\n\n```\nINITIAL_USER_EMAIL=admin@example.com\nINITIAL_USER_PASSWORD=someverysecurepassword\n```\n\nWe publish our containers do the github packages for now, so with all this set you can run `ghcr.io/kviklet/kviklet:main` don't forget to map port `8080` which is the default port Kviklet spins up on.\n\nAn example docker run could looks like this:\n\n```\ndocker run \\\n-e SPRING_DATASOURCE_PASSWORD=postgres \\\n-e SPRING_DATASOURCE_USERNAME=postgres \\\n-e SPRING_DATASOURCE_URL=jdbc:postgresql://localhost:5432/Kviklet \\\n-e INITIAL_USER_EMAIL=admin@example.com \\\n-e INITIAL_USER_PASSWORD=someverysecurepassword \\\n--network host \\\nghcr.io/kviklet/kviklet:main\n```\n\n### SSO via OIDC\n\n#### Google\n\nIf you want to setup SSO for your Kviklet instance (which makes a lot of sense since otherwise you have to manage passwords again).\nYou need to setup these 3 environment variables:\n\n```\nKVIKLET_IDENTITYPROVIDER_CLIENTID\nKVIKLET_IDENTITYPROVIDER_CLIENTSECRET\nKVIKLET_IDENTITYPROVIDER_TYPE=google\n```\n\nThe google client id and secret you can easily get by following google instructions here:\nhttps://developers.google.com/identity/gsi/web/guides/get-google-api-clientid\n\nFor valid redirect URIs, you should configure: https://[kviklet_host]/api/login/oauth2/code/google\nFor Allowed Origins, simply your hosted kviklet url.\n\nAfter setting those environment variables everyone in your organization can login with the sign in with google button. But they wont have any permissions by default, you will have to assign them a role after they log in once.\n\n#### Keycloak\n\nIf you want to setup SSO with Keycloak instead you need to set these 4 environment variables:\n\n```\nKVIKLET_IDENTITYPROVIDER_CLIENTID\nKVIKLET_IDENTITYPROVIDER_CLIENTSECRET\nKVIKLET_IDENTITYPROVIDER_TYPE=keycloak\nKVIKLET_IDENTITYPROVIDER_ISSUERURI=http://[host]:[port]/realms/[realm]\n```\n\nYou get the client id and secret when you create an application in keycloack.\nFor valid redirect URIs, you should configure: https://[kviklet_host]/api/login/oauth2/code/keycloak\nFor Allowed Origins, simply your hosted kviklet url.\n\nAfter setting those environment variables the login page should show a Login with Keycloak button that redirects to your keycloak instance. We do currently not support role sync yet so you will have to manage roles directly in kviklet manually for now.\n\n#### Other OIDC providers\n\nOther OIDC providers should work similarly to Keycloak. Note that the `redirect URI` will change depending on they type you choose, so if you choose `gitlab` it will be `https://[kviklet_host]/api/login/oauth2/code/gitlab`.\nIf you run into issues feel free to create an issue, we have not tried every single OIDC provider out there (yet) and there might be slight differences in the implementation that might require updates on Kviklets side.\n\n### LDAP\n\nKviklet supports LDAP authentication. To enable and configure LDAP, you can override the following environment variables:\n\n```\nLDAP_ENABLED=true\nLDAP_URL=ldap://your-ldap-server:389\nLDAP_BASE=dc=your,dc=domain,dc=com\nLDAP_PRINCIPAL=cn=admin,dc=your,dc=domain,dc=com\nLDAP_PASSWORD=your-admin-password\nLDAP_UNIQUE_IDENTIFIER_ATTRIBUTE=uid\nLDAP_EMAIL_ATTRIBUTE=mail\nLDAP_FULL_NAME_ATTRIBUTE=cn\nLDAP_USER_OU=people\nLDAP_SEARCH_BASE=ou=people\n```\n\nHere's what each setting means:\n\n- `LDAP_ENABLED`: Set to `true` to enable LDAP authentication.\n- `LDAP_URL`: The URL of your LDAP server.\n- `LDAP_BASE`: The base DN for LDAP searches.\n- `LDAP_PRINCIPAL`: The DN of the admin user for binding to the LDAP server.\n- `LDAP_PASSWORD`: The password for the admin user.\n- `LDAP_UNIQUE_IDENTIFIER_ATTRIBUTE`: The LDAP attribute used as the unique identifier for users (default: \"uid\").\n- `LDAP_EMAIL_ATTRIBUTE`: The LDAP attribute that contains the user's email address (default: \"mail\").\n- `LDAP_FULL_NAME_ATTRIBUTE`: The LDAP attribute that contains the user's full name (default: \"cn\").\n- `LDAP_USER_OU`: The Organizational Unit (OU) where user accounts are stored (default: \"people\").\n- `LDAP_SEARCH_BASE`: Allows to override the base DN for user searches (default: \"ou=people\"). If you use FreeIPA you might need to set this to e.g. `cn=users`. If set LDAP_USER_OU is ignored.\n\nYou can customize these attributes to match your LDAP schema. After configuring LDAP, users will be able to log in using their LDAP credentials. The first time an LDAP user logs in, a corresponding user account will be created in Kviklet with default permissions. An admin will need to assign appropriate roles to these users after their first login.\n\n### SAML (Enterprise only)\n\nKviklet supports SAML 2.0 authentication. To enable SAML, set the following environment variables:\n\n```\nSAML_ENABLED=true\nSAML_ENTITYID=https://your-identity-provider.com\nSAML_SSOSERVICELOCATION=https://your-identity-provider.com/sso\nSAML_VERIFICATIONCERTIFICATE=-----BEGIN CERTIFICATE-----\\nMIICmzCCAYMCBgF4...\\n-----END CERTIFICATE-----\n```\n\nConfiguration details:\n\n- `SAML_ENABLED`: Set to `true` to enable SAML authentication\n- `SAML_ENTITYID`: The entity ID of your SAML identity provider\n- `SAML_SSOSERVICELOCATION`: The SSO service URL of your identity provider\n- `SAML_VERIFICATIONCERTIFICATE`: The X.509 certificate used to verify SAML responses (include the BEGIN/END CERTIFICATE lines)\n\nYou can optionally customize the SAML attribute mappings:\n\n```\nSAML_USERATTRIBUTES_EMAILATTRIBUTE=email\nSAML_USERATTRIBUTES_NAMEATTRIBUTE=name\nSAML_USERATTRIBUTES_IDATTRIBUTE=nameID\n```\n\nYour identity provider should be configured with:\n\n- Entity ID: `https://[kviklet_host]/api/saml2/service-provider-metadata/saml`\n- Redirect Uri: `https://[kviklet_host]/api/login/saml2/sso/saml`\n\nAfter configuring SAML, users can log in via the identity provider. On first login, a user account is created with default permissions.\n\nIf you get correctly redirected to the IDP but then get a cors error, you can add your IDPs host to the allowed origins in Kviklet via:\n\n```\nCORS_ALLOWEDORIGINS=https://[idp_host]\n```\n\n## Configuration\n\n### Connections\n\nAfter starting Kviklet you first have to configure a database connection. Go to Settings -\u003e Databases -\u003e Add Connection.\n\n![Add Connection](images/CreateConnection_light.png#gh-light-mode-only)\n![Add Connection](images/CreateConnection_dark.png#gh-dark-mode-only)\n\nHere you can configure how many reviews are required to run Requests on this connection. You can also configure how often a request can be run. The default is 1 and we recommend to stick to this for most use cases. As a special config, setting this to 0 any request on the connection can be run an infinite amount of times.\n\n#### AWS IAM AUTH\n\nKviklet supports using IAM Auth for Postgres and MySQL Database Connections for this choose IAM Auth when creating a new connection.\n\n![IAM Auth](images/CreateConnectionIAM_light.png#gh-light-mode-only)\n![IAM Auth](images/CreateConnectionIAM_dark.png#gh-dark-mode-only)\n\nThis will remove the option to set a password and instead user AWS credentials to connect to the database.\n\nKviklet uses AWS's `DefaultCredentialsProvider` to find credentials and generate the token for the connection. This means all typical places should work (env vars or associated instance roles) exact order is documented here: https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/auth/credentials/DefaultCredentialsProvider.html\n\nAdditionally, you can provide an AWS role ARN that Kviklet will assume, and use those credentials to create the temporary DB token. This is particularly useful for connecting to databases that are not in the same AWS account as Kviklet. To use this feature, simply enter the role ARN in the designated field when creating or editing an IAM Auth connection. Leaving the field empty will use the default credentials provider (no role assumption).\n\nThe AWS region to use during token generation is inferred from your connection URL so there is no options to set it.\n\nTo learn how to setup IAM Auth for your database follow the official AWS documentation: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html\nThe main two points are:\n\n- Create a DB user with the IAM auth option and correct permissions\n- Create an IAM policy that allows the AWS entity to generate tokens for this user\n\n### Roles\n\nKviklet ships with 3 roles, Default, Admins and Developers.\n\n- The default role provides Read access to all connections, and Requests. This role is assigned to every user and cannot be removed. You can however alter the permissions of this role however you like.\n- Admins have the permission to create and edit connections, as well as adding new Users and setting their permissions.\n- Developers can create Requests as well as approve and comment on them and of course execute the actual statements.\n\nYou can customize Roles and e.g. give a role only access to a specific connection or a group of DB connections.\nThis is useful e.g. if you have different teams with different databases and want to controll access to those more granularly.\n\n#### Creating a new Role\n\nCreating a new role works as follows. Go to Settings -\u003e Roles -\u003e Add Role.\n\n![Add Role](images/CreateRole_light.png#gh-light-mode-only)\n![Add Role](images/CreateRole_dark.png#gh-dark-mode-only)\n\nThe default settings are not as relevant for most roles and you can just give User Read and RoleView Access and leave it at that.\nMore interesting is the adding of individual permissions for Connections. Here you first add a selector to select specific connections. This can either be a specific id or you use wildcards with `*` to match multiple connections. E.g. if you want to have a role that has access to all dev databases (in case you also manage acces to those with kviklet) you'd use a selector like `dev-*` and ensure the ids of the connections are set correctly.\n\nYou can of course also make up a system that you use for your different teams inside of your organization.\n\n### Notifications\n\nYou can configure Kviklet to send notifications to a channel in Slack or Teams. This is useful to notify your team about new requests that need to be reviewed. You can configure this in Settings -\u003e General -\u003e Notification Settings.\n\n#### Slack\n\nTo configure Slack notifications you need to create a Slack App and enable webhooks for it. You can follow the instructions here: https://api.slack.com/messaging/webhooks\n\n#### Teams\n\nTo configure Teams notifications you need to add a Webhook connector to your channel. The official microsoft docs on that are here: https://docs.microsoft.com/en-us/microsoftteams/platform/webhooks-and-connectors/how-to/add-incoming-webhook\n\nTo enable the notifications, simply set the Webhook URL in the Kviklet Notification Settings and click save.\n\nCurrently there are notifications for:\n\n- New Requests, that need approvals\n- New approvals on requests\n\n## Encryption\n\nIf you don't want the credentials to be stored in cleartext in the DB, it is recommended that you enable database encryption on the Kviklet postgres DB itself. For most hosted providers this is a simple checkbox to click.  \nNonetheless, if the Kviklet database is somehow compromised, this is a huge security risk. As it contains the database crendetials for potentially all your production datastores. So you can enable encryption of the credentials at rest.\n\nTo do this simply set the two environment variables.\n\n```\nENCRYPTION_ENABLED=true\nENCRYPTION_KEY_CURRENT=some-secret\n```\n\nKviklet will encrypt all your existing credentials on startup, and use the secret for future connections that you create.\n\n### Key Rotation\n\nIf you want to rotate the key you can simply add another variable for the previous key and change the current one:\n\n```\nENCRYPTION_KEY_PREVIOUS=some-secret\nENCRYPTION_KEY_CURRENT=another-secret\n```\n\nKviklet will re-encrypt all connections on startup, so that you can then restart the contaienr with the previous key removed.\n\n## Experimental Features\n\nThere are currently two experimental Features. That were built mostly on community feedback. Feel free to try these out and leave any input that you might have. We hope to develop into this further in the future and make it work well with the core approval flow.\n\n### Kubernetes Exec\n\nIf you want to use the Kubernetes Exec feature you have to create a separate kubernetes connection. Kviklet will use the user of the deployed pod to execute the command. So make sure that the user has the necessary permissions to execute commands on the pods that you want to access.\n\nKviklet also uses /bin/sh to execute the command, so you will need to make sure your pods have a shell or at least a symlink in /bin/sh. If this bothers you feel free to open an issue, we can potentially make this configurable or find another solution.\n\nKubernetes commands only wait for 5 seconds for output if the command takes longer than that Kviklet will wait for up to an hour before timing out the command. This is a a provisional solution, we are looking into websockets to make this more responsive and potentially enable terminal sessions.\n\n### Proxy, Postgres only\n\nIf you create requests for temporary access, you can - instead of using the web interface - run your queries through a kviklet managed proxy and use the DB client of your choice.\nFor this the container uses ports 5438-6000, so you need to expose those.\nThe user can then create a temporary access request, and click \"Start Proxy\" once it has been approved. Each request will get a port and a user + a temporary password. With this they can connect to the database. Kviklet validates the temp user and password and proxies all requests to the underlying user on the database. Any executed statements are logged in the auditlog as if they were run via the web interface.\nNote that the message parsing on the proxy side hasn't been tested with all clients, so if you run into issues with e.g. statements not being logged feel free to open an issue.\n\n![Postgres Proxy](images/PostgresProxy_light.png#gh-light-mode-only)\n![Postgres Proxy](fiimages/PostgresProxy_dark.png#gh-dark-mode-only)\n\n#### Postgres Proxy - TLS\n\nKviklet terminates the TLS connection to the database. That means by default any traffic from and to the proxy itself is not encrypted.  \nIf you want kviklet to reencrypt the traffic you can give Kviklet a TLS certificate and key for the proxy by setting the following environment variables:\n\n```\nPROXY_TLS_CERTIFICATE_SOURCE=env\nPROXY_TLS_CERTIFICATE_CERT=your-certificate\nPROXY_TLS_CERTIFICATE_KEY=your-key\n```\n\nalternatively you can use files:\n\n```\nPROXY_TLS_CERTIFICATE_SOURCE=file\nPROXY_TLS_CERTIFICATE_CERT_FILE=path/to/cert.pem\nPROXY_TLS_CERTIFICATE_KEY_FILE=path/to/key.pem\n```\nEither way the certificate and key must be stored in [pem format](https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail).\n\n## Questions? Contributions?\n\nIf you have any questions, feel free to create a github issue I try to answer within a reasonable amount of time and am also happy to develop feature for your use case if it fits the general vision of the tool.\nKviklet is currently fully open-source and although I dream of making it pay my bills eventually there is currently no concrete plans on how to approach this.\n\nIf you want to contribute, feel free to fork and create PRs for small things. If you plan bigger features, I'd appreciate some discussion upfront in a github issue or similar.\n\nYou can also contact me at jascha@kviklet.dev.\n","funding_links":[],"categories":["Kotlin"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkviklet%2Fkviklet","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkviklet%2Fkviklet","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkviklet%2Fkviklet/lists"}