{"id":17903627,"url":"https://github.com/pirogoeth/vault-init","last_synced_at":"2026-01-21T18:01:49.824Z","repository":{"id":141112699,"uuid":"288615692","full_name":"pirogoeth/vault-init","owner":"pirogoeth","description":" Process supervisor with Vault integration ","archived":false,"fork":false,"pushed_at":"2023-06-06T05:48:49.000Z","size":431,"stargazers_count":2,"open_issues_count":5,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-02-14T04:48:33.545Z","etag":null,"topics":["init","supervisor","vault"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/pirogoeth.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-08-19T02:40:55.000Z","updated_at":"2022-01-05T16:11:21.000Z","dependencies_parsed_at":null,"dependency_job_id":"a1a624e8-5703-41a3-82bb-9ceded928439","html_url":"https://github.com/pirogoeth/vault-init","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pirogoeth%2Fvault-init","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pirogoeth%2Fvault-init/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pirogoeth%2Fvault-init/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pirogoeth%2Fvault-init/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/pirogoeth","download_url":"https://codeload.github.com/pirogoeth/vault-init/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247798681,"owners_count":20998033,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["init","supervisor","vault"],"created_at":"2024-10-28T16:41:02.445Z","updated_at":"2026-01-21T18:01:49.746Z","avatar_url":"https://github.com/pirogoeth.png","language":"Go","readme":"# `vault-init`\n\n![build status](https://concourse.dev.maio.me/api/v1/teams/main/pipelines/vault-init/badge)\n\n## Rationale\n\nPreviously, I could use Nomad's templating to insert data from Vault into an application.\nSince we're now using Docker's Swarm Mode instead, I can't use any fancy templating.\nBut I also do not want to go back to placing secrets inside of workload definitions.\n\n## Design Decisions / Roadmap\n\n- [X] Will run as an init system inside a container\n - Luckily this will not require a ton of functionality\n - We need to be able to:\n - [X] Spawn processes\n - [X] Reap dead children\n - Perform signal forwarding to children\n - [X] Forward all environment variables to children\n - **EXCLUDING** Vault-init configuration (`INIT_*`, optionally `VAULT_*` when `--no-inherit-token` is unset)\n- [X] Get Vault connect token from environment var or from file\n - [X] VAULT_TOKEN_FILE, which would load in to VAULT_TOKEN\n - (this supports `docker secrets` well)\n- [X] We can piggyback on Vault's preset client configuration environment variables\n - https://github.com/hashicorp/vault/blob/master/api/client.go#L28\n- [X] Connect to Vault using `VAULT_TOKEN`/`VAULT_TOKEN_FILE`\n - [X] Generate a token with policies given by `INIT_ACCESS_POLICIES`\n - [X] Token should have `VAULT_TOKEN` as parent unless `INIT_ORPHAN_TOKEN` is `true`\n - [ ] Token roles?\n - [X] Token should be renewable unless `INIT_DISABLE_RENEW` is `true`\n - [X] Token should be provided to child as `VAULT_TOKEN` unless `INIT_NO_INHERIT_TOKEN` is `true`\n - [X] Token should be revoked on `vault-init` exit\n- [X] Use Go's `text/template` library to do templating into environment variables and files in the container\n - [X] Template context loaded in based on comma-separated `INIT_PATHS`\n - Example:\n - `export INIT_PATHS=\"/secret/services/concourse\"`\n - `export INIT_PATHS=\"/secret/services/sourcegraph,/secret/services/oauth2-proxy/sourcegraph\"`\n - [ ] When multiple paths are provided, try to contextually diff the URLs to create nested structure\n - If only one path is provided, it would become the top-level data\n - If more than one path is provided, and the paths share ancestry:\n - Example:\n - `path:\"/secret/data/services/concourse\"`\n - `path:\"/secret/data/services/sourcegraph\"`\n - ` ^^^^^^^^^^^^^^^^^^^^^^ shared ancestry`\n - `.Data.concourse.some_value`\n - `.Data.sourcegraph.some_value`\n - If more than one path is provided and the paths do not share ancestry:\n - Example:\n - `path:\"/secret/data/services/concourse\"`\n - `path:\"/kv1/services/haproxy\"`\n - `.Data.secret.data.services.concourse.some_value`\n - `.Data.kv1.services.haproxy`\n - Helpers for certain actions(?)\n - Undetermined\n- [~] Correctly handle renewable secrets\n - [~] Leased secrets\n - [X] Should be renewed\n - [ ] Should be revoked when `vault-init` exits\n - [~] Auth secrets\n - [X] Should be renewed\n - [ ] Should be revoked when `vault-init` exits","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpirogoeth%2Fvault-init","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpirogoeth%2Fvault-init","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpirogoeth%2Fvault-init/lists"}