secrets-manager - A daemon to sync Vault secrets to Kubernetes secrets

  •        25

Lots of companies use Vault as their secrets store backend for multiple kind of secrets and different purposes. Kubernetes brings a nice secrets API, but it means that you have two different sources of truth for your secrets. secrets-manager tries to solve this, by reading secrets from Vault and comparing them to Kubernetes secrets, creating and updating them as you do it in Vault.

https://github.com/tuenti/secrets-manager

Tags
Implementation
License
Platform

   




Related Projects

kubernetes-external-secrets - 💂 Kubernetes External Secrets

  •    Javascript

Kubernetes External Secrets allows you to use external secret management systems (e.g., AWS Secrets Manager) to securely add secrets in Kubernetes. Read more about the design and motivation for Kubernetes External Secrets on the GoDaddy Engineering Blog. The project extends the Kubernetes API by adding a ExternalSecrets object using Custom Resource Definition and a controller to implement the behavior of the object itself.

kubernetes-vault - Use Vault to store secrets for Kubernetes!

  •    Go

The Kubernetes-Vault project allows pods to automatically receive a Vault token using Vault's AppRole auth backend.To run Kubernetes-Vault on your cluster, follow the quick start guide.

vault-on-gke - Run @HashiCorp Vault on Google Kubernetes Engine (GKE) with Terraform

  •    HCL

This tutorial walks through provisioning a highly-available HashiCorp Vault cluster on Google Kubernetes Engine using HashiCorp Terraform as the provisioning tool. This tutorial is based on Kelsey Hightower's Vault on Google Kubernetes Engine, but focuses on codifying the steps in Terraform instead of teaching you them individually. If you would like to know how to provision HashiCorp Vault on Kuberenetes step-by-step (aka "the hard way"), please follow Kelsey's repository instead.

gomplate - A flexible commandline tool for template rendering

  •    Go

Read the docs at gomplate.hairyhenderson.ca. gomplate is a template renderer which supports a growing list of datasources, such as: JSON (including EJSON - encrypted JSON), YAML, AWS EC2 metadata, BoltDB, Hashicorp Consul and Hashicorp Vault secrets.

sealed-secrets - A Kubernetes controller and tool for one-way encrypted Secrets

  •    Go

Solution: Encrypt your Secret into a SealedSecret, which is safe to store - even to a public repository. The SealedSecret can be decrypted only by the controller running in the target cluster and nobody else (not even the original author) is able to obtain the original Secret from the SealedSecret. See https://github.com/bitnami-labs/sealed-secrets/releases for the latest release.


buttercup-desktop - :key: Javascript Secrets Vault - Multi-Platform Desktop Application

  •    Javascript

Cross-platform, free and open-source password manager based on NodeJS. Buttercup is a password manager - an assistant for helping you store all of your login credentials. Buttercup helps you keep your accounts safe and assists you when you want to log in - all you need to do is remember just one password: your master password.

kamus - An open source, git-ops, zero-trust secret encryption and decryption solution for Kubernetes applications

  •    CSharp

An open source, GitOps, zero-trust secrets encryption and decryption solution for Kubernetes applications. Kamus enable users to easily encrypt secrets than can be decrypted only by the application running on Kubernetes. The encryption is done using strong encryption providers (currently supported: Azure KeyVault, Google Cloud KMS and AES). To learn more about Kamus, check out the blog post and slides. If you're running Kamus locally the Kamus URL will be like http://localhost:<port>. So you need to add --allow-insecure-url flag to enable http protocol.

Vault - A tool for managing secrets

  •    Go

Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault handles leasing, key revocation, key rolling, and auditing. Vault presents a unified API to access multiple backends: HSMs, AWS IAM, SQL databases, raw key/value, and more.

chezmoi - Manage your dotfiles securely across multiple machines.

  •    Go

Manage your dotfiles securely across multiple machines. Secure: chezmoi can retreive secrets from 1Password, Bitwarden, LastPass, pass, Vault, your Keychain (on macOS), GNOME Keyring (on Linux), or any command-line utility of your choice. You can checkout your dotfiles repo on as many machines as you want without revealing any secrets to anyone.

arc - A manager for your secrets.

  •    Javascript

A manager for your secrets. Arc is a manager for your secrets made of arcd, a RESTful API server written in Go which exposes read and write primitives for encrypted records, and arc, the client application implemented in HTML5 and javascript, which runs in every modern browser and it is served by arcd itself.

kube-cert-manager - Manage Lets Encrypt certificates for a Kubernetes cluster.

  •    Go

This is not an official Google Project.The secrets created by the Kubernetes Certificate Manager can be used to configure any TLS terminating load balancer.

konfd - Manage application configuration using Kubernetes secrets, configmaps, and Go templates.

  •    Go

Manage application configuration using Kubernetes secrets, configmaps, and Go templates.See the templates docs for more details.

chef-vault - Securely manage passwords, certs, and other secrets in Chef

  •    Ruby

Gem that allows you to encrypt a Chef Data Bag Item using the public keys of a list of chef nodes. This allows only those chef nodes to decrypt the encrypted values.For a more detailed explanation of how chef-vault works, please refer to this blog post Chef Vault – what is it and what can it do for you? by Nell Shamrell-Harrington.

SOPS: Secrets OPerationS

  •    Go

sops is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault and PGP.

Keywhiz - A system for distributing and managing secrets

  •    Java

Keywhiz is a system for managing and distributing secrets. Keywhiz servers in a cluster centrally store secrets encrypted in a database. Clients use mutually authenticated TLS (mTLS) to retrieve secrets they have access to. Authenticated users administer Keywhiz via CLI or web app UI. To enable workflows, Keywhiz has automation APIs over mTLS and support for simple secret generation plugins.

ejson - EJSON is a small library to manage encrypted secrets using asymmetric encryption.

  •    Go

ejson is a utility for managing a collection of secrets in source control. The secrets are encrypted using public key, elliptic curve cryptography (NaCl Box: Curve25519 + Salsa20 + Poly1305-AES). Secrets are collected in a JSON file, in which all the string values are encrypted. Public keys are embedded in the file, and the decrypter looks up the corresponding private key from its local filesystem.See the manpages for more technical documentation.

git-secrets - Prevents you from committing secrets and credentials into git repositories

  •    Shell

Prevents you from committing passwords and other sensitive information to a git repository.git-secrets scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories. If a commit, commit message, or any commit in a --no-ff merge history matches one of your configured prohibited regular expression patterns, then the commit is rejected.

chamber - CLI for managing secrets

  •    Go

Chamber is a tool for managing secrets. Currently it does so by storing secrets in SSM Parameter Store, an AWS service for storing secrets. Starting with version 2.0, chamber uses parameter store's path based API by default. Chamber pre-2.0 supported this API using the CHAMBER_USE_PATHS environment variable. The paths based API has performance benefits and is the recommended best practice by AWS.

berglas - A tool for managing secrets on Google Cloud

  •    Go

Berglas is a command line tool and library for storing and and retrieving secrets on Google Cloud. Secrets are encrypted with Cloud KMS and stored in Cloud Storage. As a CLI, berglas automates the process of encrypting, decrypting, and storing data on Google Cloud.