• Stars
    star
    85
  • Rank 385,668 (Top 8 %)
  • Language
    Go
  • License
    MIT License
  • Created about 3 years ago
  • Updated about 1 month ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Integrates Spiffe and Vault to have secretless authentication

SPIFFE Vault

Integrates SPIFFE SVID authentication with Hashicorp Vault to retrieve a VAULT_TOKEN.

Go CI Go Report Card codecov

Example usecases

  • Read secrets from Hashicorp Vault Hashicorp Vault without providing a secret to authenticate against Hashicorp Vault. Instead we will be using a SPIFFE SVID to authenticate ourself against Hashicorp Vault.

  • Perform secretless/keyless code signing by utilizing the Hashicorp Vault Transit engine as a software defined HSM. This resolves the issue of having signing keys on a local machine as well resolves the issue of managing secrets to access the signing keys. Again we utilize the SPIFFE SVID to authenticate against Hashicorp Vault.

Build

Compile

make build

Docker

Using the default DOCKER_HOST on your system (usually unix:///var/run/docker.sock), you can build the docker image with:

make image

Using e.g. the colima DOCKER_HOST (usually unix:///Users/marco/.colima/default/docker.sock), you can build the docker image with:

DOCKER_HOST=unix:///Users/marco/.colima/default/docker.sock make image

Use

Basic

$ export VAULT_ADDR=http://localhost:8200
$ bin/spiffe-vault auth -role my-role
# Export following environment variable to authenticate to Hashicorp Vault
export VAULT_TOKEN=s.IK1LBrCGXFQDAgawmhNLbcDH

Advanced

Depending on the shell you are using you can automatically export the variable.

bash
$ export VAULT_ADDR=http://localhost:8200
$ echo "$(bin/spiffe-vault auth -role my-role)" > /tmp/spiffe-vault
$ source /tmp/spiffe-vault
$ vault kv get secrets/my-key
====== Metadata ======
Key              Value
---              -----
created_time     2021-08-24T08:20:54.925866504Z
deletion_time    n/a
destroyed        false
version          1

============= Data =============
Key                       Value
---                       -----
username                  marco
password                  Supers3cr3t!
$ vault token lookup
Key                 Value
---                 -----
accessor            rwpXIHXzbVIMN2TL25Lfssef
creation_time       1629970184
creation_ttl        1m
display_name        jwt-spiffe://dev.localhost/ns/my-app/sa/my-app-backend
entity_id           8904661e-5a9f-3af5-c269-257e8a0a31d0
expire_time         2021-08-26T09:30:44.424072877Z
explicit_max_ttl    0s
id                  s.eOdhqe1hVV0OPS7M0TSeEqjG
issue_time          2021-08-26T09:29:44.424078028Z
meta                map[role:my-role]
num_uses            0
orphan              true
path                auth/jwt/login
policies            [default my-role]
renewable           true
ttl                 13s
type                service
$ vault token renew
Key                  Value
---                  -----
token                s.f1mFvr0TdEuvmfcZT0jBLCc5
token_accessor       vxginlb81XMEIPefLpRz1P24
token_duration       1m
token_renewable      true
token_policies       ["default" "my-role"]
identity_policies    []
policies             ["default" "my-role"]
token_meta_role      my-role
$ vault token lookup
Key                  Value
---                  -----
accessor             vxginlb81XMEIPefLpRz1P24
creation_time        1629970320
creation_ttl         1m
display_name         jwt-spiffe://dev.localhost/ns/my-app/sa/my-app-backend
entity_id            8904661e-5a9f-3af5-c269-257e8a0a31d0
expire_time          2021-08-26T09:33:53.57444787Z
explicit_max_ttl     0s
id                   s.f1mFvr0TdEuvmfcZT0jBLCc5
issue_time           2021-08-26T09:32:00.135787193Z
last_renewal         2021-08-26T09:32:53.574447972Z
last_renewal_time    1629970373
meta                 map[role:my-role]
num_uses             0
orphan               true
path                 auth/jwt/login
policies             [default my-role]
renewable            true
ttl                  56s
type                 service
$ vault write transit/sign/my-key input="$(echo stuff | base64)"
Key            Value
---            -----
key_version    1
signature      vault:v1:MEUCIFAWmHPyLJ6V0mjMgqr5UnV40bkCEUEGqApcYI54VAPIAiEAqyG2VkFc2wpYs/n47mK4vgfTVbXjWJzMM7Fxr/bR7LE=
$ vault write transit/verify/my-key input="$(echo stuff | base64)" signature=vault:v1:MEUCIFAWmHPyLJ6V0mjMgqr5UnV40bkCEUEGqApcYI54VAPIAiEAqyG2VkFc2wpYs/n47mK4vgfTVbXjWJzMM7Fxr/bR7LE=
zsh
$ export VAULT_ADDR=http://localhost:8200
$ source <(bin/spiffe-vault auth -role my-role)
$ vault kv get secrets/my-key
====== Metadata ======
Key              Value
---              -----
created_time     2021-08-24T08:20:54.925866504Z
deletion_time    n/a
destroyed        false
version          1

============= Data =============
Key                       Value
---                       -----
username                  marco
password                  Supers3cr3t!
$ vault token lookup
Key                 Value
---                 -----
accessor            rwpXIHXzbVIMN2TL25Lfssef
creation_time       1629970184
creation_ttl        1m
display_name        jwt-spiffe://dev.localhost/ns/my-app/sa/my-app-backend
entity_id           8904661e-5a9f-3af5-c269-257e8a0a31d0
expire_time         2021-08-26T09:30:44.424072877Z
explicit_max_ttl    0s
id                  s.eOdhqe1hVV0OPS7M0TSeEqjG
issue_time          2021-08-26T09:29:44.424078028Z
meta                map[role:my-role]
num_uses            0
orphan              true
path                auth/jwt/login
policies            [default my-role]
renewable           true
ttl                 13s
type                service
$ vault token renew
Key                  Value
---                  -----
token                s.f1mFvr0TdEuvmfcZT0jBLCc5
token_accessor       vxginlb81XMEIPefLpRz1P24
token_duration       1m
token_renewable      true
token_policies       ["default" "my-role"]
identity_policies    []
policies             ["default" "my-role"]
token_meta_role      my-role
$ vault token lookup
Key                  Value
---                  -----
accessor             vxginlb81XMEIPefLpRz1P24
creation_time        1629970320
creation_ttl         1m
display_name         jwt-spiffe://dev.localhost/ns/my-app/sa/my-app-backend
entity_id            8904661e-5a9f-3af5-c269-257e8a0a31d0
expire_time          2021-08-26T09:33:53.57444787Z
explicit_max_ttl     0s
id                   s.f1mFvr0TdEuvmfcZT0jBLCc5
issue_time           2021-08-26T09:32:00.135787193Z
last_renewal         2021-08-26T09:32:53.574447972Z
last_renewal_time    1629970373
meta                 map[role:my-role]
num_uses             0
orphan               true
path                 auth/jwt/login
policies             [default my-role]
renewable            true
ttl                  56s
type                 service
$ vault write transit/sign/my-key input="$(echo stuff | base64)"
Key            Value
---            -----
key_version    1
signature      vault:v1:MEUCIFAWmHPyLJ6V0mjMgqr5UnV40bkCEUEGqApcYI54VAPIAiEAqyG2VkFc2wpYs/n47mK4vgfTVbXjWJzMM7Fxr/bR7LE=
$ vault write transit/verify/my-key input="$(echo stuff | base64)" signature=vault:v1:MEUCIFAWmHPyLJ6V0mjMgqr5UnV40bkCEUEGqApcYI54VAPIAiEAqyG2VkFc2wpYs/n47mK4vgfTVbXjWJzMM7Fxr/bR7LE=

See the example directory for an example infrastructure setup on Kubernetes integration the whole eco-system. This includes a Spire, Vault deployment as well utilizing spiffe-vault as en example workload.

More Repositories

1

terraform-aws-github-runner

Terraform module for scalable GitHub action runners on AWS
HCL
2,573
star
2

terraform-registry

Terraform registry to serve arbitrary Terraform provider releases hosted on Github
Go
89
star
3

terraform-aws-github-oidc

Terraform module to setup OIDC with AWS and GH Actions
HCL
72
star
4

slsa-provenance-action

Github Action implementation of SLSA Provenance Generation
Go
47
star
5

continuous-compliance-action

Continuous Compliance makes it possible to enforce company policy on repositories. Continuous Compliance will automatically check your repository for mandatory files or requirements. When possible, it will create detailed Github issue with instructions on how to resolve it.
Shell
19
star
6

terraform-provider-unleash

A Terraform provider to provision and manage Unleash admin resources - in early development.
Go
16
star
7

helm-charts

Overview of philips-labs helm charts
Smarty
16
star
8

terraform-cloudfoundry-thanos

Experimental Thanos module for unlimited metrics storage on Cloud foundry
HCL
13
star
9

dct-notary-admin

To manage Docker Content Trust and Notary certificates
Go
12
star
10

tabia

Repository characteristics
Go
12
star
11

aws-ecr-scanning-slack-notifications

AWS ECR scanning slack notifications
JavaScript
11
star
12

terraform-private-modules-action

GitHub action that allows you to use private terraform modules that are stored in GitHub repos.
10
star
13

fatt

fatt tries to find any purl in your project by looking at predefined fields in the supported packages. These fields describe using a purl where to grab the attestation from.
Go
10
star
14

github-action-repolinter

Github Action for TODO group Repolinter
Shell
9
star
15

bompare

Comparator tool for evaluation of the output from multiple bill-of-material analyzers
Dart
8
star
16

tern-action

GitHub Action to perform a docker scan with VMWARE tern
TypeScript
8
star
17

blackduck-scanner-action

BlackDuck GItHub Action
Shell
8
star
18

terraform-cloudfoundry-grafana

Terraform module to deploy a Grafana instance to Cloud foundry
HCL
8
star
19

list-folder-action

Get a list of folders in a directory and return them as a json list
8
star
20

BLE-GHS-Server-Simulator

BLE Generic Health Sensor Peripheral Simulator Android App
Kotlin
8
star
21

demo-clustering-longitudinal-data

Supplementary materials for the manuscript "Clustering of longitudinal data: A tutorial on a variety of approaches" by N. G. P. Den Teuling, S.C. Pauws, and E.R. van den Heuvel (2021)
R
7
star
22

workflow-capability

CSS
6
star
23

terraform-cloudfoundry-kong

Terraform module for deploying Kong API gateway to Cloud foundry
HCL
5
star
24

s3dl

Tiny microservice to download files from your private S3 bucket using pre-signed URLs
Go
5
star
25

siderite

companion tool to make interacting with Iron.io more pleasant
Go
5
star
26

iam-service-login

Simple tool to login into IAM using a service account
Go
5
star
27

interspeech2022-motivational-interviewing

Code for our INTERSPEECH 2022 paper submission titled "Towards Automated Counselling Decision-Making: Remarks on Therapist Action Forecasting on the AnnoMI Dataset"
Jupyter Notebook
5
star
28

varys

Lord Varys GitHub toolkit
JavaScript
5
star
29

BLE-GHS-Client-Example

Example of an Android BLE client app that receives, parses and displays data from a peripheral using the proposed Generic Health Sensor standard
Kotlin
5
star
30

garo

Github Actions Runners Orchestrator
Go
4
star
31

automation-workshop

Automation workshop - Automate All The Things
Dockerfile
4
star
32

terraform-cloudfoundry-alertmanager

HCL
4
star
33

fontys-2020-team-abra-cadabra

The general idea of the project is a Question Answer website like stackexchange.com, But the differentiating factor are Experts.
HTML
4
star
34

terraform-hsdp-redis-service

Provision Redis on HSP which is prometheus metrics endpoint
Go
4
star
35

terraform-hsdp-apache-superset

Module to deploy Apache Superset on HSDP Container Host
HCL
3
star
36

about-this-organization

Philips Labs - Projects in development
3
star
37

terraform-cloudfoundry-matomo

Terraform module for deploying matomo to cloudfoundry
PHP
3
star
38

kong-multispace-routing-example

Example project demonstrating multi space routing using Kong and network policies
HCL
3
star
39

action-delete-artifacts

An action that deletes an artifact associated with given workflow.
JavaScript
3
star
40

hsdp-function-gateway

Function gateway service for hsdp_function Terraform resource
Go
3
star
41

kafka-on-hsdp

Terraform root module which demonstrates deployment and usage of Kafka on HSDP
Shell
3
star
42

terraform-hsdp-kafka-mirrormaker

kafka connect on hsdp
HCL
3
star
43

github-portal

Lists all InnerSource projects of Philips in an interactive and easy to use way. Can be used as a template for implementing the "InnerSource portal" pattern by the InnerSource Commons community. Uses Blazor from Microsoft.
C#
3
star
44

k8s-software-concepts-day

Some exercises for our software concepts day
Go
3
star
45

comparison-clustering-longitudinal-data

Supplementary materials for the manuscript "A comparison of methods for clustering longitudinal data with slowly changing trends" by N. G. P. Den Teuling, S.C. Pauws, and E.R. van den Heuvel, published in Communications in Statistics - Simulation and Computation (2021).
R
3
star
46

dangerous-dave

Dangerous Dave
Python
2
star
47

terraform-hsdp-connect-onboarding

Module to onboard onto HSDP Connect IoT services
HCL
2
star
48

hsdp-iam-authorize-ui-customization

JavaScript
2
star
49

ferrite

Implementation of IronWorker API
Go
2
star
50

continuous-compliance-template

Continuous Compliance Template
2
star
51

terraform-hsdp-dicom

Terraform module to onboard to HSDP DICOM services
HCL
2
star
52

terraform-provider-vault

Go
2
star
53

terraform-hsdp-kafka

Terraform Kafka module for HSDP Container Host
Shell
2
star
54

hsdp-modules

Collection of HSDP Modules and other example projects and templates
HCL
2
star
55

cloudfoundry-examples

Collection of small apps and how to deploy them to Cloud foundry
C#
2
star
56

medical-delivery-drone

Home Care - Medical delivery
Go
2
star
57

igtcloud-client

Python
2
star
58

hsdp-alerts-forwarder

Python based alerts forwarder
Python
1
star
59

cwlog

Cloudwatch to HSDP logging
Go
1
star
60

kong-on-hsdp

Example Terraform project which deploys a Kong API gateway to Cloud foundry
HCL
1
star
61

terraform-hsdp-ai-inference-onboarding

Onboarding module for HSDP AI Inference service
HCL
1
star
62

AI-for-Medical-Imaging

1
star
63

thanos-on-hsdp

Example usage of Thanos module
HCL
1
star
64

vault-ca

Setup of Vault as a CA for experimentation purposes
Shell
1
star
65

hsdp-task-docker-cp

HSDP function task to copy docker repositories between regions
Go
1
star
66

gwdemo

Terraform based demo demonstrating setting up an API gateway with backing services
HCL
1
star
67

docker-action

A Github action that builds and pushes docker containers
TypeScript
1
star
68

crovel

Crovel forwards messages from one RabbitMQ exchange to another.
Go
1
star
69

go-s3unpack

Microservice to unpack ZIP archives on an S3 bucket
Go
1
star
70

terraform-cloudfoundry-promregator

Terraform module to deploy promregator to cloudfoundry
HCL
1
star
71

Hypotension_Septic_ICU_Patients_Publication

R
1
star
72

terraform-cloudfoundry-kibana

Terraform module to deploy Kibana to Cloud foundry
HCL
1
star
73

terraform-cloudfoundry-spark

HCL
1
star
74

terraform-cloudfoundry-gwdemo

Terraform module demonstrating Cloudfoundry API gateway using NGinx
HCL
1
star
75

timeout-tricker

Tricks your ELB into not timing out long running connections
Go
1
star
76

grafana-bpm-plugin

A Grafana plugin which allows for the visualisation of business process monitoring
TypeScript
1
star
77

TruelyPortablePythonProjectTemplate

A way of working with Python to promote portability and easy exchange
Python
1
star
78

terraform-cloudfoundry-siderite-backend

Siderite backend for hsdp_function resource
HCL
1
star
79

terraform-hsdp-notification

Onboarding module for HSDP Notification service
HCL
1
star
80

hsdp-function-http-request

hsdp function to perform http requests
Go
1
star
81

terraform-hsdp-zookeeper

Terraform module to create Zookeeper ensemble on HSDP Container Host
Shell
1
star
82

dctna-helm

Helm charts for https://github.com/philips-labs/dct-notary-admin
Shell
1
star
83

fhirpkgloader

This tool can be used to upload FHIR NPM packages from any repository to HSP CDR.
JavaScript
1
star
84

nostradamus-js-action

GitHub action to check for new js dependencies
Shell
1
star
85

2022-07-07_scaling-github-runners

Slides Auto-scaling GitHub Self-Hosted runners with AWS serverless for a few cents @ DWX '22
1
star
86

terraform-cloudfoundry-variant

Terraform module to deploy Variant
HCL
1
star
87

terraform-hsdp-postgres-service

Provision Postgres RDS on HSP including prometheus metrics endpoint, discoverable by variant
HCL
1
star