{"id":22998234,"url":"https://github.com/uswitch/vault-creds","last_synced_at":"2025-04-06T08:14:05.801Z","repository":{"id":47955892,"uuid":"86077742","full_name":"uswitch/vault-creds","owner":"uswitch","description":"Sidecar container for requesting dynamic Vault database secrets","archived":false,"fork":false,"pushed_at":"2025-01-21T11:39:44.000Z","size":2639,"stargazers_count":83,"open_issues_count":7,"forks_count":14,"subscribers_count":12,"default_branch":"master","last_synced_at":"2025-03-30T06:11:10.011Z","etag":null,"topics":["kubernetes","vault"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/uswitch.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-03-24T14:38:32.000Z","updated_at":"2025-01-21T11:39:48.000Z","dependencies_parsed_at":"2024-06-18T22:40:25.643Z","dependency_job_id":"14c23444-de12-49ff-b877-9488c36eb3c7","html_url":"https://github.com/uswitch/vault-creds","commit_stats":null,"previous_names":[],"tags_count":24,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/uswitch%2Fvault-creds","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/uswitch%2Fvault-creds/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/uswitch%2Fvault-creds/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/uswitch%2Fvault-creds/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/uswitch","download_url":"https://codeload.github.com/uswitch/vault-creds/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247451665,"owners_count":20940944,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["kubernetes","vault"],"created_at":"2024-12-15T06:12:15.092Z","updated_at":"2025-04-06T08:14:05.731Z","avatar_url":"https://github.com/uswitch.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Vault Creds\n\nProgram (and Docker container) to be run as a sidecar to your application- requesting dynamic database credentials that will be leased while the application is active or requests certificate for the designated ttl\n\nIt implements authentication according to [Vault's Kubernetes Authentication flow](https://kubernetes.io/docs/admin/authentication/).\n\n## Usage\n\nThis project is to be deployed in a Pod alongside the main application. When `vault-creds` starts it will request credentials or a certifcate at the path specified and continually renew their lease.\n\n### Credentials Example\n\n```\n$ ./bin/vaultcreds \\\n  --ca-cert=~/.vaultca \\\n  --token-file=/var/run/secrets/kubernetes.io/serviceaccount/token \\\n  --login-path=kubernetes/cluster/login \\\n  --auth-role=service_account_role \\\n  --template=sample.database.yml \\\n  --secret-path=database/creds/database_role\nINFO[0000] authenticated                                 policies=\"[default service_account_role]\"\nproduction:\n  adapter: postgresql\n  database: my_database\n  host: mydbhost\n  username: v-kubernet-app-3q9s0x28tv6xzt2yx87x-1516141848\n  password: XXXXXXXXXXXXXX\nINFO[0000] renewing 1h0m0s lease every 1m0s\n```\n\n### Certificate Example\n\n```\n$ ./bin/vaultcreds \\\n  --get-certificate \\\n  --common-name=\"commonname\" \\\n  --ttl=\"2m\" \\\n  --ca-cert=~/.vaultca \\\n  --token-file=/var/run/secrets/kubernetes.io/serviceaccount/token \\\n  --login-path=kubernetes/cluster/login \\\n  --auth-role=service_account_role \\\n  --template=sample.certificate.yml \\\n  --secret-path=database/creds/database_role\nINFO[0000] authenticated                                 policies=\"[default service_account_role]\"\nINFO[0000] requesting certificate\n-----BEGIN CERTIFICATE-----\nXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\nXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\nXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\nXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\nXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\nXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\nXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\nXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\nXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n-----END CERTIFICATE-----INFO[0000] renewing certficate every 24h\n```\n\nThe template is applied to the latest credentials and written to `--out` (normally this would be a shared mount for the other containers read).\n\n## Init Mode\n\nIf you run the container with the `--init` flag it will generate the database credentials and then exit allowing it to be used as an Init Container.\nVault-creds will also write out the lease and auth info to a file in the same directory as your database credentials, if a new Vault-creds container starts up it can read these and use them to renew your lease.\nThis means that you can have an init container generate your creds and then have a sidecar renew your credentials for you. Thus ensuring the credentials exist before your app starts up.\n\n## Job Mode\n\nKubernetes doesn't handle sidecars in cronjobs/jobs very well as it has no understanding of the difference between the primary container and the sidecar, this means that if your primary process errors/completes the job will continue to run as the vault-creds sidecar will still be running.\n\nTo get around this you can run the sidecar with `--job` flag which will cause the vault-creds sidecar to watch the status of the other containers in the pod. If they error the vault-creds container will exit 1, if they complete the container will exit 0 thus getting around the sidecar problem.\n\nTo make this work you need to add the pod name and namespaces as env vars to the vault-creds container.\n\n```\nenv:\n- name: NAMESPACE\n  valueFrom:\n    fieldRef:\n      fieldPath: metadata.namespace\n- name: POD_NAME\n  valueFrom:\n    fieldRef:\n      fieldPath: metadata.name\n```\n\nAlso ensure that the service account you use has permission to `GET` pods in its own namespace.\n\n## Metrics\n\nWe have enabled some simple metrics to be collected from the vault-creds pod.\n\nThese simple metrics are;\n\n- An error count of the number of errors during credential renewal\n\n- A unix timestamp of the last error during renewal of a secret\n\n- A unix timestamp of the last successful renewal of a secret\n\n- The amount of second remaining until the secret lease expires\n\nThese metrics are only available if you have a [Prometheus Push Gateway](https://github.com/prometheus/pushgateway).\n\nWe have chosen to use a Push Gateway because of how `vault-creds` is deployed. As `vault-creds` is meant to be deployed in a Pod alongside the main application, we did not want to cause unnecessary complications with exposing metrics and ports for scraping by Prometheus that may conflict with the main application.\n\nTo get these metrics in your Push Gateway, pass the `--gateway-addr` flag with the address to send metrics too.\n\n## License\n\n```\nCopyright 2017 uSwitch\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n    http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fuswitch%2Fvault-creds","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fuswitch%2Fvault-creds","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fuswitch%2Fvault-creds/lists"}