{"id":18656581,"url":"https://github.com/zendesk/samson_secret_puller","last_synced_at":"2025-04-11T18:30:55.341Z","repository":{"id":8638374,"uuid":"59140511","full_name":"zendesk/samson_secret_puller","owner":"zendesk","description":"kubernetes sidecar and app to publish secrets to a containerized app.","archived":false,"fork":false,"pushed_at":"2024-05-16T21:59:13.000Z","size":3814,"stargazers_count":13,"open_issues_count":3,"forks_count":3,"subscribers_count":354,"default_branch":"master","last_synced_at":"2025-03-25T16:51:36.883Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/zendesk.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-05-18T18:18:08.000Z","updated_at":"2024-05-07T17:28:27.000Z","dependencies_parsed_at":"2024-03-21T04:33:18.464Z","dependency_job_id":"ca485573-798c-4fdf-9f32-8a424ed4b5fe","html_url":"https://github.com/zendesk/samson_secret_puller","commit_stats":{"total_commits":170,"total_committers":19,"mean_commits":8.947368421052632,"dds":0.4411764705882353,"last_synced_commit":"70ccc0774314251ac882bdf3c2fb505f845b8a32"},"previous_names":[],"tags_count":14,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zendesk%2Fsamson_secret_puller","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zendesk%2Fsamson_secret_puller/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zendesk%2Fsamson_secret_puller/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zendesk%2Fsamson_secret_puller/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/zendesk","download_url":"https://codeload.github.com/zendesk/samson_secret_puller/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248458368,"owners_count":21107063,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-07T07:24:07.701Z","updated_at":"2025-04-11T18:30:55.038Z","avatar_url":"https://github.com/zendesk.png","language":"Ruby","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Secret puller [![Build Status](https://travis-ci.org/zendesk/samson_secret_puller.svg?branch=master)](https://travis-ci.org/zendesk/samson_secret_puller)\n\nApplication to run in a kubernetes init container,\nto publish secrets to containerized applications without using process environment\n([which is unsafe](https://diogomonica.com/2017/03/27/why-you-shouldnt-use-env-variables-for-secret-data/)),\nused in [samson](https://github.com/zendesk/samson),\nand libraries for multiple languages to read these secrets from disk.\n\nThe init container understands these env vars:\n\n```\nVAULT_ADDR: required, url of vault\nVAULT_AUTH_FILE: optional, location of the mounted vault token / pemfile on disk, defaults to '/vault-auth/authsecret'\nVAULT_AUTH_TYPE: optional, the type of authentication to attempt, defaults to 'token'\nVAULT_AUTH_PATH: optional, allows specifing a custom vault auth path, defaults to $VAULT_AUTH_TYPE\nVAULT_AUTH_ROLE: optional, the role against which Vault login should be attempted (required where VAULT_AUTH_TYPE=kubernetes)\nVAULT_TLS_VERIFY: optional, whether to verify ssl when talking to vault, defaults to false\nVAULT_KV_V2: optional, wether this is vault kv v2, defaults to false\nVAULT_MOUNT: optional, which mount to use, defaults to \"secret\"\nVAULT_PREFIX: optional, which prefix to use, defaults to \"apps\"\nSIDECAR_SECRET_PATH: optional, where to store the secrets on disk, defaults to  '/secrets'\nSECRET_ANNOTATIONS: optional, where to read annotations from, defaults to '/secretkeys/annotations'\nSERVICEACCOUNT_DIR: optional, where to service account from, defaults to '/var/run/secrets/kubernetes.io/serviceaccount/'\nPOD_IP: optional, the IP address assigned to the Kubernetes pod\nPOD_HOSTNAME: optional, the hostname assigned to the Kubernetes pod\nLOG_LEVEL: optional, log level, defaults to \"info\"; set to \"debug\" when debugging\n```\n\n**(secrets in repo work only for testing)**.\n\nExample config:\n\n- [kubernetes/vault-auth-secret.yml](kubernetes/vault-auth-secret.yml)\n- [kubernetes/vault-auth-token.yml](kubernetes/vault-auth-token.yml)\n\n#### Supported Authentication Types\n\n##### `VAULT_AUTH_TYPE=token` (default)\n\nThe file path specified in `VAULT_AUTH_FILE` will be read and used as a Vault token directly.\nThe token is validated using Vault's [lookup-self API](https://www.vaultproject.io/api/auth/token/index.html#lookup-a-token-self-).\n\n##### `VAULT_AUTH_TYPE=cert`\n\nThe file path specified in `VAULT_AUTH_FILE` will be read and used as an X509 Certificate Vault\nto authenticate with vault using the [TLS Certificate Auth backend](https://www.vaultproject.io/api/auth/cert/index.html).\n\nIf the backend is mounted at a different path from `/auth/cert`, it can be customised using the `VAULT_AUTH_PATH` env var.\n\n##### `VAULT_AUTH_TYPE=kubernetes`\n\nThe Kubernetes ServiceAccount mounted into the init container will be used to\nauthenticate with vault using the [Kubernetes Auth backend](https://www.vaultproject.io/api/auth/kubernetes/index.html).\nThe role against which login will be attempted is set via `VAULT_AUTH_ROLE`.\n\nIf the backend is mounted at a different path from `/auth/kubernetes`, it can be customised using the `VAULT_AUTH_PATH` env var.\n\n### Example workflow\n\nInit container reads annotation `secret/BAR=foo/bar/baz/foo` and generates a file called `BAR` in `SIDECAR_SECRET_PATH`\nwith the content being the result of the vault read for `secret/apps/foo/bar/baz/foo`.\n(`secret/apps` prefix is hardcoded atm)\n\nInside the host app, secrets are loaded by using the [samson_secret_puller](https://rubygems.org/gems/samson_secret_puller) gem.\n\n```\ngem 'samson_secret_puller'\n\nrequire 'samson_secret_puller'\n\nSamsonSecretPuller.replace_ENV!\n\nENV['FOO'] -\u003e read from /secrets/FOO or falls back to ENV['FOO']\n```\n\n### Example PKI workflow\n\nInit container reads annotations starting with `pki/`. PKI annotations are formatted as `pki/{name}={vault_path}?{parameters}`\n\nThe \"name\" in the annotation key is used in the path where the output files are written. The annotation's value\ncontains the vault URI path used to request certificate issuance. The URL-style path parameters in the annotation value\nare converted into the payload of the generate certificate request.\n\nFor example: the init container reads the annotation `pki/example.com=pki/issue/example-com?common_name=example.com`\nand generates certificate files in the path `${SIDECAR_SECRET_PATH}/pki/example.com` directory. The URL-style path parameters\nin the annotation's value (`common_name=example.com`) will be marshalled into the payload of the\n[Generate Certificate](https://www.vaultproject.io/api/secret/pki/index.html#generate-certificate) request to the\nVault instance (see that documentation for possible parameters).\n\nDepending on how the PKI backend is configured the following files will be placed in the `SIDECAR_SECRET_PATH`\ndirectory:\n\n```\n${SIDECAR_SECRET_PATH}/pki/example.com/certificate.pem\n${SIDECAR_SECRET_PATH}/pki/example.com/private_key.pem\n${SIDECAR_SECRET_PATH}/pki/example.com/issuing_ca.pem\n${SIDECAR_SECRET_PATH}/pki/example.com/chain_ca.pem\n${SIDECAR_SECRET_PATH}/pki/example.com/serial_number\n${SIDECAR_SECRET_PATH}/pki/example.com/private_key_type\n${SIDECAR_SECRET_PATH}/pki/example.com/expiration\n```\n\n**Special Annotation Parameters:**\n\n- `?pod_hostname_as_cn=true`: Pod hostname is set to the common name, overriding the `common_name` parameter if provided\n- `?pod_hostname_as_san=true`: Pod hostname is included as a subject alternate name\n- `?pod_ip_as_san=true`: Pod IP is included as a subject alternate name\n\n### Debugging\n\n- Use a dedicated Pod to debug inside the cluster, see [kubernetes/debug.yml]\n- There is no `bash`, use `sh`\n- Set `LOG_LEVEL=debug` env var for debug logs\n\n### Test\n\n`bundle \u0026\u0026 bundle exec rake`\n\n### Release to [Docker Hub](https://hub.docker.com/r/zendesk/samson_secret_puller/)\n\n- `docker pull zendesk/samson_secret_puller` gets the latest digest after merging a PR\n- For branches, use `rake build` and then tag + push them manually\n- For zendesk: [zendesk_samson_secret_puller](https://github.com/zendesk/zendesk_samson_secret_puller) pulls the latest and pushes a multi-arch image to GCR\n\n## Ruby Gem\n\nsee [gem Readme.md](gem/Readme.md)\n\n## Elixir\n\nsee [elixir README.md](elixir/README.md)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzendesk%2Fsamson_secret_puller","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fzendesk%2Fsamson_secret_puller","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzendesk%2Fsamson_secret_puller/lists"}