https://github.com/nikhiljha/arcanum
minimal, opinionated, correct* operator to sync secrets between Hashicorp Vault and Kubernetes
https://github.com/nikhiljha/arcanum
Last synced: 2 months ago
JSON representation
minimal, opinionated, correct* operator to sync secrets between Hashicorp Vault and Kubernetes
- Host: GitHub
- URL: https://github.com/nikhiljha/arcanum
- Owner: nikhiljha
- License: apache-2.0
- Created: 2021-11-28T19:30:33.000Z (over 3 years ago)
- Default Branch: main
- Last Pushed: 2021-11-29T05:47:04.000Z (over 3 years ago)
- Last Synced: 2025-01-24T07:30:55.770Z (4 months ago)
- Language: Rust
- Size: 52.7 KB
- Stars: 1
- Watchers: 4
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
## arcanum
minimal, opinionated, correct* operator to sync secrets between Hashicorp Vault and Kubernetes
## What?
a controller that watches SyncedSecret CRDs, which contain an encrypted version of a regular Secret
- If the secret exists in Vault, the secret is pulled from Vault to the Cluster.
- If the secret exists in the cluster and not in Vault, the secret is pushed from the Cluster to Vault.
- If the secret does not exist in the cluster or in Vault, the secret is decrypted from the object itself, and then pushed to Vault.
the controller attempts to gracefully handle Vault being offline (e.x. for bootstrapping)
- If Vault is unreachable and the secret does not exist, it will be created from the encrypted values.
- If Vault is unreachable and the secret does exist, the existing secret will be left alone.
## Why?
existing solutions do not...
- gracefully handle the secret provider being offline
- push existing secrets on the cluster to the secret provider if they don't already exist
If these are not important to you (e.x. fresh cluster on a cloud provider that has a secrets provider builtin), then this is not for you. If you're hosting things yourself (e.x. self-contained bare metal cluster) then this could be helpful.