{"id":25980086,"url":"https://github.com/ot-container-kit/k8s-vault-webhook","last_synced_at":"2025-03-05T07:33:34.781Z","repository":{"id":51237315,"uuid":"360098446","full_name":"OT-CONTAINER-KIT/k8s-vault-webhook","owner":"OT-CONTAINER-KIT","description":"A k8s vault webhook is a Kubernetes webhook that can inject secrets into Kubernetes resources by connecting to multiple secret managers","archived":false,"fork":false,"pushed_at":"2023-01-05T01:36:40.000Z","size":5335,"stargazers_count":116,"open_issues_count":5,"forks_count":11,"subscribers_count":7,"default_branch":"master","last_synced_at":"2023-11-07T18:17:57.885Z","etag":null,"topics":["aws","azure","hashicorp-vault","helm","inside-kubernetes","integration","k8s-vault-webhook","kuberenetes","kubernetes","secret-management","secret-managers","secrets","vault","webhook"],"latest_commit_sha":null,"homepage":"https://ot-container-kit.github.io/k8s-vault-webhook/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/OT-CONTAINER-KIT.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-04-21T08:55:25.000Z","updated_at":"2023-11-07T12:57:14.000Z","dependencies_parsed_at":"2023-02-03T04:15:26.997Z","dependency_job_id":null,"html_url":"https://github.com/OT-CONTAINER-KIT/k8s-vault-webhook","commit_stats":null,"previous_names":[],"tags_count":4,"template":null,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OT-CONTAINER-KIT%2Fk8s-vault-webhook","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OT-CONTAINER-KIT%2Fk8s-vault-webhook/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OT-CONTAINER-KIT%2Fk8s-vault-webhook/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OT-CONTAINER-KIT%2Fk8s-vault-webhook/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/OT-CONTAINER-KIT","download_url":"https://codeload.github.com/OT-CONTAINER-KIT/k8s-vault-webhook/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":241989365,"owners_count":20053796,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","azure","hashicorp-vault","helm","inside-kubernetes","integration","k8s-vault-webhook","kuberenetes","kubernetes","secret-management","secret-managers","secrets","vault","webhook"],"created_at":"2025-03-05T07:33:34.009Z","updated_at":"2025-03-05T07:33:34.770Z","avatar_url":"https://github.com/OT-CONTAINER-KIT.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n    \u003cimg src=\"./static/k8s-vault-webhook-logo.svg\" height=\"160\" width=\"120\"\u003e\n\u003c/div\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://dev.azure.com/opstreedevops/DevOps/_build?definitionId=4\"\u003e\n    \u003cimg src=\"https://dev.azure.com/opstreedevops/DevOps/_apis/build/status/k8s-vault-webhook/k8s-vault-webhook?branchName=master\" alt=\"Azure Pipelines\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://goreportcard.com/report/github.com/OT-CONTAINER-KIT/k8s-vault-webhook\"\u003e\n    \u003cimg src=\"https://goreportcard.com/badge/github.com/OT-CONTAINER-KIT/k8s-vault-webhook\" alt=\"GoReportCard\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"http://golang.org\"\u003e\n    \u003cimg src=\"https://img.shields.io/github/go-mod/go-version/OT-CONTAINER-KIT/k8s-vault-webhook\" alt=\"GitHub go.mod Go version (subdirectory of monorepo)\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"http://golang.org\"\u003e\n    \u003cimg src=\"https://img.shields.io/badge/Made%20with-Go-1f425f.svg\" alt=\"made-with-Go\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://quay.io/repository/opstree/k8s-vault-webhook\"\u003e\n    \u003cimg src=\"https://img.shields.io/badge/container-ready-green\" alt=\"Docker\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://github.com/OT-CONTAINER-KIT/k8s-vault-webhook/master/LICENSE\"\u003e\n    \u003cimg src=\"https://img.shields.io/badge/License-Apache%202.0-blue.svg\" alt=\"License\"\u003e\n  \u003c/a\u003e\n\u003c/p\u003e\n\nk8s-vault-webhook is a Kubernetes admission webhook which listen for the events related to Kubernetes resources for injecting secret directly from secret manager to pod, secret, and configmap.\nThe motive of creating this project is to provide a dynamic secret injection to containers/pods running inside Kubernetes from different secret managers for enhanced security.\n\nDocumentation is available here:- https://ot-container-kit.github.io/k8s-vault-webhook/\n\nBlog Link:- https://blog.opstree.com/2021/09/14/introducing-kubernetes-vault-web-hook/\n\nThe secret managers which are currently supported:-\n\n- **[Hashicorp Vault](https://www.vaultproject.io/)**\n- **[AWS Secret Manager](https://aws.amazon.com/secrets-manager/)**\n- **[Azure Key Vault](https://azure.microsoft.com/en-in/services/key-vault/)**\n- **[GCP Secret Manager](https://cloud.google.com/secret-manager)**\n\nThis project is based on secret-consumer-webhook. Please check out the source code at https://github.com/innovia/secrets-consumer-webhook.\n\n### Supported Features\n\n- Authentication to Hashicorp vault using Kubernetes service-account\n- RBAC implementation of vault using different policies of vault and association of policy with service-account\n- Inject secret directly to pods/containers running inside Kubernetes\n- Inject secret directly to pods/containers from AWS Secret Manager\n- Authentication with AWS Secret Manager with access key and iam role\n- Fetch secrets from Azure Key Vault and inject them in pods/containers\n- Pod AD identity and Service principal based authentication in Azure\n- Authentication with AWS Secret Manager with access key and iam role\n- Authenticate and authorize using GCP service-account and annotations\n- Secret injection in pods/containers from GCP Secret Manager\n- Support regex to inject all secrets from a certain path of Vault\n- Inject secrets directly to the process of container, i.e. after the injection you cannot read secrets from the environment variable\n\n### Architecture\n\n\u003cdiv align=\"center\"\u003e\n    \u003cimg src=\"./static/k8s-vault-webhook-arc.png\"\u003e\n\u003c/div\u003e\n\n### Installation\n\nk8s-vault-webhook can easily get installed by using [Helm](https://helm.sh/). We just simple need to add the repository of our [helm charts](https://github.com/OT-CONTAINER-KIT/helm-charts).\n\n```shell\n$ helm repo add ot-helm https://github.com/OT-CONTAINER-KIT/helm-charts\n\n$ helm upgrade k8s-vault-webhook ot-helm/k8s-vault-webhook --namespace \u003cnamespace\u003e --install\n```\n\nIf you want to pass your custom values file while installing the chart, you can find the values file [here](https://github.com/OT-CONTAINER-KIT/helm-charts/blob/main/charts/k8s-vault-webhook/values.yaml)\n\n### Quickstart\n\nFor setting up a quickstart environment for demo, you can start quickstart from [here](https://ot-container-kit.github.io/k8s-vault-webhook/)\n\n### Development\n\nIf you like to contribute to this project, you are more than welcome. Please see our [DEVELOPMENT.md](./DEVELOPMENT.md) for details.\n\n### Release History\n\nPlease see our [CHANGELOG.md](./CHANGELOG.md) for details.\n\n### Contact\n\nIf you have any suggestion or query. Contact us at\n\n[opensource@opstree.com](mailto:opensource@opstree.com)\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fot-container-kit%2Fk8s-vault-webhook","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fot-container-kit%2Fk8s-vault-webhook","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fot-container-kit%2Fk8s-vault-webhook/lists"}