{"id":17250307,"url":"https://github.com/sorah/vault2kube","last_synced_at":"2026-04-30T17:31:46.499Z","repository":{"id":66903331,"uuid":"262435842","full_name":"sorah/vault2kube","owner":"sorah","description":"manage Vault lease on Kubernetes secrets and keep it fresh","archived":false,"fork":false,"pushed_at":"2020-11-08T05:43:13.000Z","size":92,"stargazers_count":3,"open_issues_count":1,"forks_count":0,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-03-26T06:22:39.036Z","etag":null,"topics":["hashicorp-vault","kubernetes","security","vault"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sorah.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-05-08T21:51:21.000Z","updated_at":"2020-12-08T16:38:20.000Z","dependencies_parsed_at":"2023-05-19T17:00:17.092Z","dependency_job_id":null,"html_url":"https://github.com/sorah/vault2kube","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/sorah/vault2kube","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sorah%2Fvault2kube","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sorah%2Fvault2kube/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sorah%2Fvault2kube/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sorah%2Fvault2kube/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sorah","download_url":"https://codeload.github.com/sorah/vault2kube/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sorah%2Fvault2kube/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32472396,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-30T13:12:12.517Z","status":"ssl_error","status_checked_at":"2026-04-30T13:12:06.837Z","response_time":57,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hashicorp-vault","kubernetes","security","vault"],"created_at":"2024-10-15T06:46:51.844Z","updated_at":"2026-04-30T17:31:46.476Z","avatar_url":"https://github.com/sorah.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Vault2kube: manage Vault lease on Kubernetes secrets and keep it fresh\n\n![docker-build](https://github.com/sorah/vault2kube/workflows/docker-build/badge.svg)\n\n## What's this\n\nFetch a secret from Vault, and copy it to a k8s secret. Then rollout restart on specified k8s resources.\n\nThis tool is intended to run using k8s CronJob, and use with Vault _leased, managed_ secrets (e.g. database creds).\nNote that the motivation behind this tool is not copying _static_ secrets from Vault; even is possible.\n\n### Difference with vault-k8s\n\n[hashicorp/vault-k8s](https://github.com/hashicorp/vault-k8s) is the official tool to integrate Vault secrets with Kubernetes.\nThis tool uses MutationWebhook to inject a `vault agent` into a pod, and the injected agent authenticate against Vault using a service account associated to the pod, then keep secrets updated.\n\nThis design allows to cover various use cases, however it is not simple for just copying leaesd, short-lived secrets (e.g. database) from Vault.\n\nvault-k8s would be a good choice when you cannot trust k8s secrets store, or you need to interact with Vault to do some advanced usage.\n\n## Docker repository\n\nhttps://hub.docker.com/r/sorah/vault2kube\n\n## Setup\n\nCheck [deploy/setup.yml](./deploy/setup.yml) and apply:\n\n```\ncp deploy/setup.yml /tmp/\nvim /tmp/setup.yml\nkubectl apply -f /tmp/setup.yml\n```\n\nBy default this enables ClusterRole to update the entire secrets in your cluster. If you're not in favor of this whole cluster setup, you may use namespaced Role instead.\n(Hint: you can use `--namespace` command line argument to enable namespaced API requests)\n\n### Configuing connection to Vault\n\nThe following environment variables are supported, and some of them are required:\n\n- Connection\n  - `VAULT_ADDR` (required)\n  - `VAULT_NAMESPACE`\n  - `VAULT_CACERT`\n- Authentication (required, choose from one of these)\n  1. Bearer\n    - `VAULT_TOKEN`\n  2. Kubernetes\n    - `VAULT_K8S_PATH` (required, e.g. `auth/kubernetes`)\n    - `VAULT_K8S_ROLE` (required)\n    - `VAULT_K8S_TOKEN_PATH` (optional, default to `/var/run/secrets/kubernetes.io/serviceaccount/token`)\n\n### Kubernetes Authentication\n\nDefault to in-cluster config, but can refer to `$KUBECONFIG` (`~/.kube/config`).\n\n(When not using in-cluster config, Kubernetes Vault authentication is unavailable)\n\n## Usage\n\n### Configure a rule\n\nvault2kube uses CRD to configure a rule and persist its state. Create `VaultStoreRule` like as follows:\n\n``` yaml\napiVersion: \"vault2kube.sorah.jp/v1\"\nkind: VaultStoreRule\nmetadata:\n  name: foo\n  namespace: default\nspec:\n  ## Path to source secret on Vault (what you specify to `vault read` command)\n  sourcePath: my/path/to/database-mount/creds/my-database-role\n  \n  ## Optional parameters; When this is present, vault2kube will use POST (= vault write) to get leases\n  # parameters: {}\n\n  ## Destination secret to store its lease as a k8s secret\n  destinationName: my-database-creds\n  # Templates to render stringData.\n  templates:\n    - key: password\n      # Template is rendered using Handlebars against `.data` lease response\n      template: '{{password}}'\n    - key: username\n      template: '{{username}}'\n\n  ## Restart resource on any Vault lease rotation\n  # Deployment, DaemonSet, StatefulSet is supported\n  rolloutRestarts:\n    - kind: Deployment\n      name: blog\n\n  ## Handling lease TTL\n  # At least either renewBeforeSeconds or rotateBeforeSeconds must be given. \n  # Specifying both options are possible. Then rule will try to renew as long as possible, then rotate.\n\n  # Enable this to renew while max_ttl. Specify threshold by seconds until expiry to perform a renew.\n  renewBeforeSeconds: 604800\n  # Enable this to rotate when reaching max_ttl. Note that even this parameter is omit, leases will be\n  # rotated when a renewed ttl is capped to max_ttl.\n  rotateBeforeSeconds: 259200\n  # Enable this to revoke the last lease in subsequent run after rotation. Default to 1.\n  revokeAfterSeconds: 3600\n```\n\n### Confirm working\n\nThen trigger a job, and confirm the result.\n\n```\nkubectl create job --from=cronjob/vault2kube vault2kube-manual-${USER}-$(date +%s)\nkubectl get secret my-database-creds\n```\n\n## Advanced topics\n\n### Request force renew/rotate\n\nSetting the following annotations to VaultStoreRule lets Vault2kube perform early renew/rotate:\n\n- Renew: `vault2kube.sorah.jp/renewRequestedAt` (ISO8601 datetime format)\n- Rotate: `vault2kube.sorah.jp/rotateRequestedAt` (ISO8601 datetime format)\n\nActions are performed when a specified datetime is newer than the last successful run (.status.lastSuccessfulRunAt).\n\n\n## Contributing\n\nBug reports and pull requests are welcome on GitHub at https://github.com/sorah/vault2kube.\n\n## License\n\nThe tool is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsorah%2Fvault2kube","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsorah%2Fvault2kube","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsorah%2Fvault2kube/lists"}