Vaultly secrets management agent.

The agent is required only when secrets are managed externally to the Kubernetes cluster. Upon supplying a valid private RSA or ECDSA key, the configuration tool will compile a fresh agent that incorporates that key. The derived public key must be stored as a Kubernetes secret named vaultly_agent_pub_key in the Infiscal namespace.

Agent‑Mode Operation (Vaultly + Infiscal)

Environment Configuration

Set the environment variable VAULTLY_SYNC_AGENT to true:
export VAULTLY_SYNC_AGENT=true

The agent will detect this flag at startup and enable the sync workflow.

Synchronization Behavior

  • The agent polls the Infiscal database at the interval configured in the agent’s settings.
  • For every change detected (create, update, delete) the agent propagates the corresponding operation to the target Kubernetes cluster.
  • The sync respects the namespace and secret names defined in the Infiscal configuration, keeping Kubernetes secrets in sync with the source database.

Deployment Context

Deploy the agent on the same host or container as the Infiscal server so it can access the Infiscal database directly.

Ensure the Kubernetes cluster credentials (service account, kubeconfig, etc.) are available to the agent so it can perform CRUD operations on secrets.

Summary

In agent mode, when VAULTLY_SYNC_AGENT=true, Vaultly continuously polls the Infiscal database and mirrors all secret changes (create, update, delete) into the configured Kubernetes cluster.

CLI‑Mode Operation (Vaultly + Infiscal)

How to Enter CLI Mode

Start the agent **without** the VAULTLY_SYNC_AGENT environment variable (or set it to false).

What CLI Mode Provides

  • Turns the running agent into an interactive command‑line tool.
  • Allows manual inspection of secrets stored in the Infiscal database.
  • Enables direct creation, update, and deletion of secrets from the CLI.
  • Offers commands to display current synchronization status.
  • Reports any desynchronization (desync) problems between Infiscal and Kubernetes.

Typical Commands

Command Description
vaultly sync status Show last sync time and any pending changes.
vaultly sync desync-check Detect secrets that are out of sync between Infiscal and Kubernetes.
vaultly secret list List all secrets in the Infiscal database.
vaultly secret create <name> <value> Create a new secret in Infiscal.
vaultly secret update <name> <value> Update an existing secret.
vaultly secret delete <name> Remove a secret from Infiscal.

Getting Started

1. Open a terminal and navigate to the directory containing the compiled agent binary.
2. Run the binary without any environment variables:
./vaultly_agent
3. The prompt will switch to a CLI interface where you can type the commands above.

Monitoring Sync Health

Use vaultly sync status regularly to ensure the agent has processed all changes. If the CLI reports desynchronization, run vaultly sync desync-check to identify the specific secrets that need manual intervention.

Zero‑Configuration Agent Build

Overview

Create a ready‑to‑use Vaultly agent binary in a single step. By baking the private key (AES or ECDSA) into the compiled binary you eliminate any post‑deployment configuration – the agent will automatically discover the correct Infixal and Kubernetes endpoints from the cluster’s environment.

Step‑by‑Step Guide

  1. Generate a private key – Create an RSA key with OpenSSL: 
    openssl genrsa -out private.pem
    (Use `openssl ecparam -name secp256k1 -genkey -noout -out private.pem` for ECDSA if preferred.)
  2. Build the agent – Run the build command that embeds the key into the binary. For example, using a simple wrapper script: 
    vaultly build --key private.pem --output vaultly_agent
    The build tool (part of the Vaultly CLI) injects the key into the binary at compile time. No separate upload step is required.
  3. If you don't have a pregenerated vaultly agent – Upload the PEM file in the box below to have it compiled. To receive a download link. If you don't see the upload section, you must enable the agent generator in the config. enable_agent_generator: true
  4. If you have a pre-generated vaultly agent You must disable the agent generator UI.
  5. Deploy the binary – Copy vaultly_agent to your Kubernetes nodes or run it as a container alongside the Infixal server. No additional environment variables or configuration files are needed.

Benefits

  • Zero‑touch deployment: all credentials are baked into the binary.
  • Endpoint discovery is automatic – the agent adapts to changes in the cluster.
  • Strong security: the key never resides in environment variables or plain files after the build.

Caveats

• The binary is immutable once built; to change the key or endpoints you must rebuild the agent.
• Keep the private.pem file secure while it is on your local machine.