{"id":21291496,"url":"https://github.com/postfinance/vault-kubernetes","last_synced_at":"2025-10-28T05:45:06.234Z","repository":{"id":37884224,"uuid":"159191255","full_name":"postfinance/vault-kubernetes","owner":"postfinance","description":"Authenticate services to @hashicorp Vault via the Kubernetes auth method","archived":false,"fork":false,"pushed_at":"2025-09-12T08:41:49.000Z","size":463,"stargazers_count":78,"open_issues_count":4,"forks_count":24,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-09-12T10:31:19.711Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/postfinance.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2018-11-26T15:29:14.000Z","updated_at":"2025-09-12T08:26:47.000Z","dependencies_parsed_at":"2024-01-10T09:46:39.750Z","dependency_job_id":"94bfba06-3462-4b57-b66d-60ab55dde41a","html_url":"https://github.com/postfinance/vault-kubernetes","commit_stats":null,"previous_names":[],"tags_count":26,"template":false,"template_full_name":null,"purl":"pkg:github/postfinance/vault-kubernetes","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/postfinance%2Fvault-kubernetes","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/postfinance%2Fvault-kubernetes/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/postfinance%2Fvault-kubernetes/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/postfinance%2Fvault-kubernetes/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/postfinance","download_url":"https://codeload.github.com/postfinance/vault-kubernetes/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/postfinance%2Fvault-kubernetes/sbom","scorecard":{"id":741793,"data":{"date":"2025-08-11","repo":{"name":"github.com/postfinance/vault-kubernetes","commit":"699e70923d859ee4365751a69a3e021e0040c7cb"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":5,"checks":[{"name":"Code-Review","score":0,"reason":"Found 0/8 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":9,"reason":"11 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 9","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/build.yml:1","Warn: no topLevel permission defined: .github/workflows/codeql-analysis.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:8: update your workflow using https://app.stepsecurity.io/secureworkflow/postfinance/vault-kubernetes/build.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:9: update your workflow using https://app.stepsecurity.io/secureworkflow/postfinance/vault-kubernetes/build.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/postfinance/vault-kubernetes/build.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/postfinance/vault-kubernetes/build.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/postfinance/vault-kubernetes/build.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/postfinance/vault-kubernetes/build.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/postfinance/vault-kubernetes/build.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/postfinance/vault-kubernetes/build.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:52: update your workflow using https://app.stepsecurity.io/secureworkflow/postfinance/vault-kubernetes/build.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:66: update your workflow using https://app.stepsecurity.io/secureworkflow/postfinance/vault-kubernetes/build.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:70: update your workflow using https://app.stepsecurity.io/secureworkflow/postfinance/vault-kubernetes/build.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:74: update your workflow using https://app.stepsecurity.io/secureworkflow/postfinance/vault-kubernetes/build.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/postfinance/vault-kubernetes/codeql-analysis.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/postfinance/vault-kubernetes/codeql-analysis.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:48: update your workflow using https://app.stepsecurity.io/secureworkflow/postfinance/vault-kubernetes/codeql-analysis.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:62: update your workflow using https://app.stepsecurity.io/secureworkflow/postfinance/vault-kubernetes/codeql-analysis.yml/main?enable=pin","Warn: containerImage not pinned by hash: packaging/docker/authenticator/Dockerfile:1","Warn: containerImage not pinned by hash: packaging/docker/synchronizer/Dockerfile:1","Warn: containerImage not pinned by hash: packaging/docker/token-renewer/Dockerfile:1","Warn: goCommand not pinned by hash: .github/workflows/build.yml:29","Info:   0 out of  12 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   4 third-party GitHubAction dependencies pinned","Info:   0 out of   3 containerImage dependencies pinned","Info:   0 out of   1 goCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Branch-Protection","score":3,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'main'","Info: 'force pushes' disabled on branch 'main'","Info: 'branch protection settings apply to administrators' is required to merge on branch 'main'","Warn: could not determine whether codeowners review is allowed","Warn: no status checks found to merge onto branch 'main'","Warn: PRs are not required to make changes on branch 'main'; or we don't have data to detect it.If you think it might be the latter, make sure to run Scorecard with a PAT or use Repo Rules (that are always public) instead of Branch Protection settings"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v0.3.8 not signed: https://api.github.com/repos/postfinance/vault-kubernetes/releases/201617881","Warn: release artifact v0.3.7 not signed: https://api.github.com/repos/postfinance/vault-kubernetes/releases/183096690","Warn: release artifact v0.3.6 not signed: https://api.github.com/repos/postfinance/vault-kubernetes/releases/164353885","Warn: release artifact v0.3.5 not signed: https://api.github.com/repos/postfinance/vault-kubernetes/releases/149399920","Warn: release artifact v0.3.4 not signed: https://api.github.com/repos/postfinance/vault-kubernetes/releases/136471208","Warn: release artifact v0.3.8 does not have provenance: https://api.github.com/repos/postfinance/vault-kubernetes/releases/201617881","Warn: release artifact v0.3.7 does not have provenance: https://api.github.com/repos/postfinance/vault-kubernetes/releases/183096690","Warn: release artifact v0.3.6 does not have provenance: https://api.github.com/repos/postfinance/vault-kubernetes/releases/164353885","Warn: release artifact v0.3.5 does not have provenance: https://api.github.com/repos/postfinance/vault-kubernetes/releases/149399920","Warn: release artifact v0.3.4 does not have provenance: https://api.github.com/repos/postfinance/vault-kubernetes/releases/136471208"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/build.yml:31"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"SAST","score":10,"reason":"SAST tool is run on all commits","details":["Info: SAST configuration detected: CodeQL","Info: all commits (24) are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-22T17:38:14.488Z","repository_id":37884224,"created_at":"2025-08-22T17:38:14.488Z","updated_at":"2025-08-22T17:38:14.488Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":281391761,"owners_count":26492903,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-28T02:00:06.022Z","response_time":60,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-21T13:33:55.100Z","updated_at":"2025-10-28T05:45:06.202Z","avatar_url":"https://github.com/postfinance.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Go Report Card](https://goreportcard.com/badge/github.com/postfinance/vault-kubernetes)](https://goreportcard.com/report/github.com/postfinance/vault-kubernetes)\n[![Build](https://github.com/postfinance/vault-kubernetes/actions/workflows/build.yml/badge.svg)](https://github.com/postfinance/vault-kubernetes/actions/workflows/build.yml)\n\n\u003c!-- START doctoc generated TOC please keep comment here to allow auto update --\u003e\n\u003c!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE --\u003e\n**Table of Contents**  *generated with [DocToc](https://github.com/thlorenz/doctoc)*\n\n- [Credits](#credits)\n- [Scenarios](#scenarios)\n  - [Scenario 1 - Get a Vault token for one time use](#scenario-1---get-a-vault-token-for-one-time-use)\n  - [Scenario 2 - Sync Vault secrets to Kubernetes secrets](#scenario-2---sync-vault-secrets-to-kubernetes-secrets)\n  - [Scenario 3 - Get a Vault token for use during the lifetime of a pod](#scenario-3---get-a-vault-token-for-use-during-the-lifetime-of-a-pod)\n- [Issues](#issues)\n- [Vault client configuration](#vault-client-configuration)\n- [Init Container _vault-kubernetes-authenticator_](#init-container-_vault-kubernetes-authenticator_)\n  - [Configuration](#configuration)\n  - [Example](#example)\n- [Init Container _vault-kubernetes-synchronizer_](#init-container-_vault-kubernetes-synchronizer_)\n  - [Secret Mapping](#secret-mapping)\n  - [Encoding](#encoding)\n  - [Configuration](#configuration-1)\n  - [Error handling](#error-handling)\n  - [Example](#example-1)\n  - [Example - with failed authentication](#example---with-failed-authentication)\n  - [Example - with failed synchronizer](#example---with-failed-synchronizer)\n    - [Permission issue](#permission-issue)\n    - [KV/Vault engine Version missing](#kvvault-engine-version-missing)\n- [Sidecar _vault-kubernetes-token-renewer_](#sidecar-_vault-kubernetes-token-renewer_)\n  - [Configuration](#configuration-2)\n  - [Example](#example-2)\n- [Build](#build)\n- [Demo](#demo)\n- [Links](#links)\n\n\u003c!-- END doctoc generated TOC please keep comment here to allow auto update --\u003e\n\n\n# Credits\n[Based on the work of Seth Vargo](https://github.com/sethvargo/vault-kubernetes-authenticator)\n\n\n# Scenarios\n\n## Scenario 1 - Get a Vault token for one time use\n\nStart the Init Container _vault-kubernetes-authenticator_ to authenticate to Vault and get a Vault token.\n\nThe Vault token will expire after the given TTL.\n\n## Scenario 2 - Sync Vault secrets to Kubernetes secrets\n\nStart the Init Container _vault-kubernetes-authenticator_ to authenticate to Vault and get a Vault token.\n\nAfter successful completion, start the Init Container _vault-kubernetes-synchronizer_ to synchronize secrets to Kubernetes.\n\nThe Vault token will expire after the given TTL.\n\n## Scenario 3 - Get a Vault token for use during the lifetime of a pod\n\nStart the Init Container _vault-kubernetes-authenticator_ to authenticate to Vault and get a Vault token.\n\nAfter successful completion start the Sidecar Container _vault-kubernetes-token-renewer_ to regularly renew your Vault token.\n\n\n# Issues\n\n_vault-kubernetes-token-renewer_ container will be restarted if the token renewal fails (for restartPolicy=always). When the token cannot be renewed (e.g. the token is in the meantime expired):\n- let the pod terminate and restart. On restart _vault-kubernetes-authenticator_ will issue a new token. A possible solution could be to use [Share Process Namespace between Containers in a Pod](https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace) (Kubernetes 1.12 beta) and [Container Lifecycle Hooks](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks)\n- let _vault-kubernetes-token-renewer_ re-authenticate and update VAULT_TOKEN_PATH if the token in VAULT_TOKEN_PATH is invalid. The token consumer needs to observe VAULT_TOKEN_PATH for changes (inotify) or read VAULT_TOKEN_PATH on every connect to Vault (isn't a thing because VAULT_TOKEN_PATH is usually in-memory). This can be done independent from the previous case because the token will be valid on after pod creation\n\nremoved `go.sum` from repo due to issue with go version and k8s.io/client-go:\n```\ngo: verifying k8s.io/client-go@v9.0.0+incompatible: checksum mismatch\n```\n\n\n# Vault client configuration\n\nThe usual environment variables for Vault will be used:\n\n- VAULT_ADDR\n- VAULT_CACERT\n- VAULT_CAPATH\n- VAULT_CLIENT_CERT\n- VAULT_CLIENT_KEY\n- VAULT_CLIENT_TIMEOUT\n- VAULT_SKIP_VERIFY\n- VAULT_TLS_SERVER_NAME\n- VAULT_WRAP_TTL\n- VAULT_MAX_RETRIES\n- VAULT_TOKEN\n- VAULT_MFA\n- VAULT_RATE_LIMIT\n\n\u003e see https://godoc.org/github.com/hashicorp/vault/api#Config.ReadEnvironment\n\n\u003e the minimal configuration is VAULT_ADDR with VAULT_SKIP_VERIFY=true\n\n\n# Init Container _vault-kubernetes-authenticator_\n\n## Configuration\n\n- VAULT_ROLE - Required the name of the Vault role to use for authentication.\n\u003e For a successful Kubernetes authentication the environment variable VAULT_ROLE must be set.\n\n...or...\n\n- VAULT_ROLE_ID - see https://www.vaultproject.io/docs/auth/approle\n- VAULT_SECRET_ID - see https://www.vaultproject.io/docs/auth/approle\n\n\u003e If the environment variables VAULT_ROLE_ID and VAULT_SECRET_ID are set, AppRole Auth Method will be used, Kubernetes Auth Method otherwise.\n\n\n- VAULT_TOKEN_PATH - the destination path on disk to store the token. Usually this is a shared volume.\n\n- VAULT_AUTH_MOUNT_PATH - the name of the mount where the Kubernetes auth method is enabled. This defaults to kubernetes, but if you changed the mount path you will need to set this value to that path (vault auth enable -path=k8s kubernetes -\u003e VAULT_AUTH_MOUNT_PATH=k8s)\n\n- SERVICE_ACCOUNT_TOKEN_PATH - the path on disk where the Kubernetes service account jtw token lives. This defaults to /var/run/secrets/kubernetes.io/serviceaccount/token.\n\n- ALLOW_FAIL - the container will successfully terminate even if the authentication to Vault failed, no token will be written to VAULT_TOKEN_PATH. **This condition needs to be handled in the succeeding container.** (default: \"false\")\n\n## Example\n\n```\n$ k logs vault-kubernetes-authenticator-5675d58d95-4wd8v -c vault-kubernetes-authenticator\n2018/11/26 14:56:29 successfully authenticated to vault\n2018/11/26 14:56:29 successfully stored vault token at /home/vault/.vault-token\n\n$ k exec -ti vault-kubernetes-authenticator-5675d58d95-4wd8v sh\n~ $ VAULT_TOKEN=$(cat /home/vault/.vault-token)\n~ $ echo $VAULT_TOKEN\n8Pj0EzFLWQv8uWcjbP9hF1MB\n~ $\n```\n\n\n# Init Container _vault-kubernetes-synchronizer_\n\nDepends on Init Container _vault-kubernetes-authenticator_\n\n- each Kubernetes secrets created by _vault-kubernetes-synchronizer_ gets the annotation `vault-secret: \u003cvault secret path\u003e`\n\n- Existing labels are retained and configured labels are appended to existing ones. If an existing label has the same key as a configured label, the value will be overwritten.\n\n- obsolete secrets created by _vault-kubernetes-synchronizer_ will be deleted\n\n## Secret Mapping\n\n| Mapping                     | Vault                 | Kubernetes  |\n|-----------------------------|:----------------------|:------------|\n| secret/k8s/first            | secret/k8s/first      | first       |\n| secret/k8s/first:third      | secret/k8s/first      | third       |\n|-----------------------------|-----------------------|-------------|\n| secret/k8s/                 | secret/k8s/first      | first       |\n|                             | secret/k8s/second     | second      |\n\n\u003e labels/names in Kubernetes will be validated according to [RFC-1123](https://tools.ietf.org/html/rfc1123)\n\n## Encoding\n\nIf you have to encode the secret to put it in Vault, e.g. a Java KeyStore (JKS), then you can use base64 and add the prefix \"base64:\" to the secret in Vault\n\nCreate the secret for Vault as follows:\n```\necho \"base64:$(base64 -w0 filename)\"\n```\n\n_vault-kubernetes-synchronizer_ will decode the secret from Vault before creating a Kubernetes secret, to prevent double encoding.\n\n## Configuration\n\n- VAULT_TOKEN_PATH - the destination path on disk to store the token. Usually this is a shared volume.\n\n- VAULT_SECRETS - comma separated list of secrets (see Secret Mapping)\n\n- SECRET_PREFIX - prefix for synchronized secrets (e.g. for SECRET_PREFIX=\"v3t_\" Vault secret \"first\" will get secret \"v3t_first\" in k8s)\n\n- SYNCHRONIZER_ANNOTATION - annotation used to track managed secrets (default value `vault-secret`). Can be very useful if you need more than one `vault-synchronizer` init container in the same namespace.\n\n- SYNCHRONIZER_LABELS - labels will be added to every synchronized secret. Multiple key-value pairs can be separated with a comma. For each key-value pair a key and the equal sign are mandatory. Example: `\"k1=v1,k2=v2,k3=,k4\"` k4 will be ignored because the equal sign is missing.\n\n\u003e set ALLOW_FAIL=\"true\" for _vault-kubernetes-authenticator_\n\n## Error handling\n\nIf Vault authentication fails in _vault-kubernetes-authenticator_ and ALLOW_FAIL=\"true\" has been set for _vault-kubernetes-authenticator_ the failed authentication will be handled as follows:\n- all secrets in VAULT_SECRETS are available in the namespace (the content of the secrets will not be considered)- _vault-kubernetes-synchronizer_ issues a warning and terminates successfully.\n- any secret from VAULT_SECRETS is missing in the namespace _vault-secret-synchronizer_ fails.\n\n## Example\n\nTwo secrets in Vault:\n```\n$ vault kv get secret/k8s/first\n====== Metadata ======\n...\n=== Data ===\nKey    Value\n---    -----\none    12345678\ntwo    23456781\n$ vault kv get secret/k8s/second\n====== Metadata ======\n...\n===== Data =====\nKey       Value\n---       -----\ngreen     lantern\npoison    ivy\n```\n\nConfigure the two secrets for synchronization with the environment variable VAULT_SECRETS:\n```\n$ vi deployment.yaml\n...\n    - name: VAULT_SECRETS\n      value: secret/data/k8s/first,secret/data/k8s/second\n...\n```\n\n```\n$ k logs vault-kubernetes-synchronizer-6875c88858-t6hdw -c vault-kubernetes-authenticator\n2018/11/26 14:56:30 successfully authenticated to vault\n2018/11/26 14:56:30 successfully stored vault token at /home/vault/.vault-token\n\n$ k logs vault-kubernetes-synchronizer-6875c88858-t6hdw -c vault-kubernetes-synchronizer\n2018/11/26 14:56:31 read secret/data/k8s-np/appl-vault-dev-e1/first from vault\n2018/11/26 14:56:31 create secret third from vault secret secret/data/k8s-np/appl-vault-dev-e1/first\n2018/11/26 14:56:31 read secret/data/k8s-np/appl-vault-dev-e1/first from vault\n2018/11/26 14:56:31 create secret first from vault secret secret/data/k8s-np/appl-vault-dev-e1/first\n2018/11/26 14:56:31 read secret/data/k8s-np/appl-vault-dev-e1/second from vault\n2018/11/26 14:56:31 create secret second from vault secret secret/data/k8s-np/appl-vault-dev-e1/second\n2018/11/26 14:56:31 secrets successfully synchronized\n\n$ k get secrets | grep -e first -e second -e third\nfirst                                Opaque                                2      16m\nsecond                               Opaque                                2      16m\nthird                                Opaque                                2      16m\n\n$ k describe secrets first second third\nName:         first\nNamespace:    vault-test\nLabels:       \u003cnone\u003e\nAnnotations:  vault-secret=secret/data/k8s/first\n\nType:  Opaque\n\nData\n====\none:  8 bytes\ntwo:  8 bytes\n\n\nName:         second\nNamespace:    vault-test\nLabels:       \u003cnone\u003e\nAnnotations:  vault-secret=secret/data/k8s/second\n\nType:  Opaque\n\nData\n====\npoison:  3 bytes\ngreen:   7 bytes\n\n\nName:         third\nNamespace:    vault-test\nLabels:       \u003cnone\u003e\nAnnotations:  vault-secret=secret/data/k8s/first\n\nType:  Opaque\n\nData\n====\none:  8 bytes\ntwo:  8 bytes\n```\n\n## Example - with failed authentication\n\nALLOW_FAIL=\"false\" set for _vault-kubernetes-authenticator_\n```\n$ k logs vault-kubernetes-synchronizer-6875c88858-mbdsp -c vault-kubernetes-authenticator\n2018/11/26 15:26:01 authentication failed: login failed with role from environment variable VAULT_ROLE: \"k8s-np-appl-vault-dev-e1-auth\": Put http://vault-dev-server.appl-vault-dev-e1.svc.cluster.local:8200/v1/auth/k8s-np/login: dial tcp 10.127.21.136:8200: i/o timeout\n\n$ k logs vault-kubernetes-synchronizer-6875c88858-mbdsp -c vault-kubernetes-synchronizer\nError from server (BadRequest): container \"vault-kubernetes-synchronizer\" in pod \"vault-kubernetes-synchronizer-6875c88858-mbdsp\" is waiting to start: PodInitializing\n\n$ k get pods\nNAME                                             READY   STATUS                  RESTARTS   AGE\nvault-kubernetes-synchronizer-6875c88858-mbdsp   0/1     Init:CrashLoopBackOff   3          7m40s\n```\n\nALLOW_FAIL=\"true\" set for _vault-kubernetes-authenticator_\n```\n$ k logs vault-kubernetes-synchronizer-7d5f65895-2pf4j -c vault-kubernetes-authenticator -f\n2018/11/26 15:36:53 authentication failed - ALLOW_FAIL is set therefore pod will continue: login failed with role from environment variable VAULT_ROLE: \"k8s-np-appl-vault-dev-e1-auth\": Put http://vault-dev-server.appl-vault-dev-e1.svc.cluster.local:8200/v1/auth/k8s-np/login: dial tcp 10.127.21.136:8200: i/o timeout\n\n$ k logs vault-kubernetes-synchronizer-7d5f65895-2pf4j -c vault-kubernetes-synchronizer\n2018/11/26 15:36:55 check secret second from vault secret secret/data/k8s-np/appl-vault-dev-e1/second\n2018/11/26 15:36:55 check secret third from vault secret secret/data/k8s-np/appl-vault-dev-e1/first\n2018/11/26 15:36:55 check secret first from vault secret secret/data/k8s-np/appl-vault-dev-e1/first\n2018/11/26 15:36:55 cannot synchronize secrets - all secrets seems to be available therefore pod creation will continue: could not get vault token: open /home/vault/.vault-token: no such file or directory\n\n$ k get pods\nNAME                                            READY   STATUS    RESTARTS   AGE\nvault-kubernetes-synchronizer-7d5f65895-2pf4j   1/1     Running   0          5m18s\n```\n\n## Example - with failed synchronizer\n\n### Permission issue\n```\n$ k logs pod/vault-kubernetes-synchronizer-demo-vvzxr -c vault-kubernetes-synchronizer\n2019/08/20 14:00:28 Using annotation [ vault-secret ] to detect managed secrets\n2019/08/20 14:00:28 failed to prepare synchronization of secrets: Error making API request.\n\nURL: GET http://example.com/v1/sys/mounts\nCode: 403. Errors:\n\n* 1 error occurred:\n        * permission denied\n```\n\nThe fix for this is to add read permission to the `read` permission in the `sys/mounts` for the SA.\n```\npath \"sys/mounts\" {\n capabilities = [\"read\"]\n}\n```\n\n### KV/Vault engine Version missing\n```\n$ k logs pod/vault-kubernetes-synchronizer-sd-67fb88c95b-d7pkb -c vault-kubernetes-authenticator\n2019/09/06 08:58:55 successfully authenticated to vault\n2019/09/06 08:58:55 successfully stored vault token at /home/vault/.vault-token\n$ k logs pod/vault-kubernetes-synchronizer-sd-67fb88c95b-d7pkb -c vault-kubernetes-synchronizer\n2019/09/06 09:00:40 Using annotation [ vault-secret ] to detect managed secrets\n2019/09/06 09:00:40 failed to prepare synchronization of secrets: strconv.Atoi: parsing \"\": invalid syntax\n```\n\nThe reason for the above error is no versioning enabled for the kv secret engine. The version(1/2) has to be enabled \u0026 leaving it blank will cause above issue. Please follow the steps mentioned to fix it.\n\n```\n$ vault secrets list -detailed\nPath                Plugin       Accessor              Default TTL    Max TTL    Force No Cache    Replication    Seal Wrap    Options    Description                                                UUID\n----                ------       --------              -----------    -------    --------------    -----------    ---------    -------    -----------                                                ----\nsecret/             kv           kv_8210532d           system         system     false             replicated     false        map[]      n/a                                                        1dd5df15-8178-7843-6795-f05def3c3db8\n$ vault secrets enable -version=1 kv\nSuccess! Enabled the kv secrets engine at: kv/\n$ vault kv enable-versioning secret/\nSuccess! Tuned the secrets engine at: secret/\n$ vault secrets list -detailed | grep kv\nkv/                 kv           kv_894f5894           system         system     false             replicated     false        map[version:1]    n/a                                                        f0736f4d-343d-e32a-b2c5-897bf3552f1f\nsecret/             kv           kv_8210532d           system         system     false             replicated     false        map[version:2]    n/a                                                        1dd5df15-8178-7843-6795-f05def3c3db8\n```\n\n## Example - Using labels\n\nInitial synchronized secrets:\n$ k get secrets | grep ^vault- | grep -v token\nvault-alpha              Opaque                                1      26m\nvault-beta               Opaque                                1      26m\nvault-first              Opaque                                2      26m\nvault-gamma              Opaque                                1      26m\nvault-second             Opaque                                2      26m\nvault-third              Opaque                                2      26m\n\n\nAdd labels for some secrets:\n```\n$ for i in alpha beta gamma; do printf \"labels of secret %12s: %s\\n\" vault-$i $(k get secret vault-${i} -o=jsonpath=\"{.metadata['labels']}\"); done\nlabels of secret  vault-alpha: {\"batman\":\"unknown\",\"jocker\":\"jack_napier\",\"superman\":\"unknown\"}\nlabels of secret   vault-beta: {\"batman\":\"bruce_wayne\",\"joker\":\"jack_napier\"}\nlabels of secret  vault-gamma: {\"superman\":\"kal-el\"}\n```\n\nAdd SYNCHRONIZER_LABELS to your deployment:\n```\n$ vi deployment.yaml\n...\n        - name: SYNCHRONIZER_LABELS\n          value: batman=bruce_wayne,superman=kal-el\n...\n\u003e All synchronized secrets will get these labels.\n\nRedeploy and check the labels:\n```\n$ for i in alpha beta gamma; do printf \"labels of secret %12s: %s\\n\" vault-$i $(k get secret vault-${i} -o=jsonpath=\"{.metadata['labels']}\"); done\nlabels of secret  vault-alpha: {\"batman\":\"bruce_wayne\",\"jocker\":\"jack_napier\",\"superman\":\"kal-el\"}\nlabels of secret   vault-beta: {\"batman\":\"bruce_wayne\",\"joker\":\"jack_napier\",\"superman\":\"kal-el\"}\nlabels of secret  vault-gamma: {\"batman\":\"bruce_wayne\",\"superman\":\"kal-el\"}\n```\n\n\u003e Existing labels are retained or overwritten.\n\n## Example - Custom annotation\n\nSet our custom annotation:\n```\n$ vi deployment.yaml\n...\n        - name: SYNCHRONIZER_ANNOTATION\n          value: synchronized\n...\n```\n\nDeploy and check the annotations:\n```\n$ for i in alpha beta gamma; do printf \"annotations of secret %12s: %s\\n\" vault-$i $(k get secret vault-${i} -o=jsonpath=\"{.metadata['annotations']}\"); done\nannotations of secret  vault-alpha: {\"synchronized\":\"secret/e1-k8s-pfnet-a/scratch-sauterm/greek/alpha\"}\nannotations of secret   vault-beta: {\"synchronized\":\"secret/e1-k8s-pfnet-a/scratch-sauterm/greek/beta\"}\nannotations of secret  vault-gamma: {\"synchronized\":\"secret/e1-k8s-pfnet-a/scratch-sauterm/greek/gamma\"}\n```\n\nChange your custom annotation:\n```\n$ vi deployment.yaml\n...\n        - name: SYNCHRONIZER_ANNOTATION\n          value: vault-kubernetes-synchronizer\n...\n```\n\nDeploy and check the logs of your vault-kubernetes-synchronizer pod:\n```\n2021/01/25 11:19:33 read secret/e1-k8s-pfnet-a/scratch-sauterm/greek/alpha from vault\n2021/01/25 11:19:33 WARNING: ignoring secret vault-alpha - not managed by synchronizer\n2021/01/25 11:19:33 read secret/e1-k8s-pfnet-a/scratch-sauterm/greek/beta from vault\n2021/01/25 11:19:33 WARNING: ignoring secret vault-beta - not managed by synchronizer\n2021/01/25 11:19:33 read secret/e1-k8s-pfnet-a/scratch-sauterm/greek/gamma from vault\n2021/01/25 11:19:33 WARNING: ignoring secret vault-gamma - not managed by synchronizer\n2021/01/25 11:19:33 read secret/e1-k8s-pfnet-a/scratch-sauterm/first from vault\n2021/01/25 11:19:33 WARNING: ignoring secret vault-first - not managed by synchronizer\n2021/01/25 11:19:33 read secret/e1-k8s-pfnet-a/scratch-sauterm/second from vault\n2021/01/25 11:19:33 WARNING: ignoring secret vault-second - not managed by synchronizer\n2021/01/25 11:19:33 read secret/e1-k8s-pfnet-a/scratch-sauterm/first from vault\n2021/01/25 11:19:33 WARNING: ignoring secret vault-third - not managed by synchronizer\n```\n\n\u003e Changing the annotation does not work. You have to delete the secrets first.\n\n# Sidecar _vault-kubernetes-token-renewer_\n\nDepends on Init Container _vault-kubernetes-authenticator_\n\n- renew the Vault token regularly\n\n## Configuration\n\n- VAULT_TOKEN_PATH - the destination path on disk to store the token. Usually this is a shared volume.\n- VAULT_REAUTH - re-authenticate if the token is invalid (default: \"false\")\n- VAULT_TTL - requested token ttl (can be overwritten by Vault)\n\n\u003e If you set VAULT_REAUTH to \"true\", you have to provide all necessary environment variable for authentication (see: _vault-kubernetes-authenticator_). The token changes when re-authentication happens and must therefore be read again.\n\n## Example\n\n```\n$ k logs vault-kubernetes-token-renewer-844488f7bc-c6ztf -c vault-kubernetes-authenticator\n2018/11/26 14:56:30 successfully authenticated to vault\n2018/11/26 14:56:30 successfully stored vault token at /home/vault/.vault-token\n\n$ k logs vault-kubernetes-token-renewer-844488f7bc-c6ztf  -c vault-kubernetes-token-renewer\n2018/11/26 14:56:32 start renewer loop\n2018/11/26 14:56:32 token renewed\n```\n\n\n# Build\n\nInstall [mage](https://magefile.org/)\n\n\u003e The `DOCKER_TARGET` environment variable will be used to tag and push the images. If not set, the images will not be tagged and pushed.\n\n```\n$ export GO111MODULE=on\n$ export DOCKER_TARGET=\"registry.example.com/repopath\"\n$ mage buildAllImages\n```\n\n\n# Demo\n\n- Edit `profile`\n\n```\ncd demo\n./deploy.sh profile\n...\n./delete.sh namespace\n```\n\n\n# Links\n\n- [Using HashiCorp Vault with Kubernetes (Cloud Next '18)](https://www.youtube.com/watch?v=B16YTeSs1hI)\n- [Github - vault-kubernetes-authenticator](https://github.com/sethvargo/vault-kubernetes-authenticator)\n- [Vault - Kubernetes Auth Method](https://www.vaultproject.io/docs/auth/kubernetes.html)\n- [Kubernetes - Init Containers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers)\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpostfinance%2Fvault-kubernetes","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpostfinance%2Fvault-kubernetes","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpostfinance%2Fvault-kubernetes/lists"}