Skip to content

Minimalistic init system for containers injecting secrets from various secret stores

License

Notifications You must be signed in to change notification settings

bank-vaults/secret-init

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

secret-init

GitHub Workflow Status OpenSSF Scorecard

Minimalistic init system for containers injecting secrets from various secret stores.

Features

  • Multi-provider support - Automatically deduces and initializes required secret providers from environment variable references.
  • Async loading - Secrets are loaded asynchronously to improve speed.
  • Renew secrets - Use daemon mode to renew secrets in the background.
Supported Providers Stability
Local provider ✅ Production Ready
HashiCorp Vault ✅ Production Ready
OpenBao 🟡 Beta
AWS Secrets Manager / AWS Systems Manager Parameter Store ✅ Production Ready
Google Cloud Secret Manager ✅ Production Ready
Azure Key Vault ✅ Production Ready

Getting started

  • secret-init is designed for use with the Kubernetes mutating webhook. It can also function as a standalone tool.
  • Take a look at some of the examples that showcase the use of secret-init.

Development

For an optimal developer experience, it is recommended to install Nix and direnv.

Alternatively, install Go on your computer then run make deps to install the rest of the dependencies.

Make sure Docker is installed with Compose and Buildx.

Run project dependencies:

make up

Build a binary:

make build

Run the test suite:

make test
make test-e2e

Run linters:

make lint # pass -j option to run them in parallel

Some linter violations can automatically be fixed:

make fmt

Build artifacts locally:

make artifacts

Once you are done either stop or tear down dependencies:

make stop

# OR

make down

License

The project is licensed under the Apache 2.0 License.