Secret Sync
Secret Sync exposes a generic way to interact with external secret storage systems like HashiCorp Vault and provides a set of API models to interact and orchestrate the synchronization of secrets between them.
[!IMPORTANT] This is an early alpha version and breaking changes are expected. As such, it is not recommended for usage in production. We are actively working on expanding the list of supported stores and consolidating our APIs.
You can support us with your feedback, bug reports, and feature requests.
Features
- Simple integration with a variety of secret storage systems
- User-friendly API to facilitate interaction between different storage systems
- Pipeline-like syntax for defining synchronization actions on a secret level
- Advanced templating capabilities for transforming secrets
| Supported store | Status |
|---|---|
| HashiCorp Vault | alpha |
| [Local Provider] | alpha |
| AWS Secrets Manager | planned |
| Google Secrets Manager | planned |
| Azure Key Vault | planned |
| Kubernetes Secret | planned |
Check details about upcoming features by visiting the project issue board.
Goals
- Provide safe and simple way to work with secrets
- Expose common API for secret management regardless of the store backend
- Give total control of the secret synchronization process
Consider a situation where Dev teams need access to secrets from different environments. Ops teams can provide access to secrets in the form of an isolated environment (e.g. new Vault instance) synced only with secrets Devs require; all in GitOps way.
Getting started
To get familiarized, check out the collection of different examples using this tool.
Documentation
Check out the project documentation or pkg.go.dev.
Development
For an optimal developer experience, it is recommended to install Nix and direnv.
Alternatively, install Go on your computer then run make deps to install the rest of the dependencies.
Make sure Docker is installed with Compose and Buildx.
Run project dependencies:
make upBuild the CLI:
make buildRun the test suite:
make testRun linters:
make lint # pass -j option to run them in parallelSome linter violations can automatically be fixed:
make fmtBuild artifacts locally:
make artifactsOnce you are done either stop or tear down dependencies:
make stop
# OR
make downLicense
The project is licensed under the Apache 2.0 License.