Skip to content

hypnoglow/envexec

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

100 Commits

.github

.github

 
 

_examples/docker

_examples/docker

 
 

docker

docker

 
 

internal

internal

 
 

.dockerignore

.dockerignore

 
 

.gitignore

.gitignore

 
 

.goreleaser.yml

.goreleaser.yml

 
 

.tool-versions

.tool-versions

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

go.mod

go.mod

 
 

go.sum

go.sum

 
 

main.go

main.go

 
 

Repository files navigation

envexec

main GitHub license

envexec helps to provision an application by taking values from sources like Vault and bringing them as environment variables.

Features

  • Out of process (no code dependency)
  • Works with any app written in any language
  • One small static binary (💙 Golang)
  • Familiar configuration format, with versions
  • No supervising, just replaces the process with exec
  • Simple Docker integration

Usage

Docker

The easiest way to embed envexec into your Docker image is to just copy the binary from the prebuilt image:

FROM alpine:3.18

COPY --from=hypnoglow/envexec:latest-scratch /envexec /usr/local/bin/envexec

ENTRYPOINT ["envexec", "--"]
CMD ["echo", "Hello from envexec!"]

An alternative approach is to build your image with envexec image as a base:

FROM hypnoglow/envexec:latest-alpine

ENTRYPOINT ["envexec", "--"]
CMD ["echo", "Hello from envexec!"]

NOTE: Using "latest" tags is not recommended. Prefer tagged versions.

See examples for more info.

Providers

Vault

To fetch secrets from Vault and export values as environment variables, you need to prepare a spec. Example:

apiVersion: envexec/v1alpha1
kind: VaultSecrets
secrets:
  - path: secret/namespace/service/some
    key: api_key
    env: SOME_API_KEY
  - path: secret/namespace/service/db
    key: password
    env: DB_PASSWORD

Store this spec in the file vaultsecrets.yaml.

Next you need to prepare environment variables to authenticate in Vault. This depends on the Vault Auth Method. Lets consider the simplest token authentication method:

export VAULT_ADDR="https://vault.company.tld"
export VAULT_METHOD="token"
export VAULT_TOKEN="put-vault-token-here"

Now you just run your app through envexec:

envexec --spec-file vaultsecrets.yaml -- /usr/bin/env

Auth Methods

Token

See: https://www.vaultproject.io/docs/auth/token.html

export VAULT_ADDR="https://vault.company.tld"
export VAULT_METHOD="token"
export VAULT_TOKEN="put-vault-token-here"

envexec --spec-file vaultsecrets.yaml -- /usr/bin/env
Kubernetes

See: https://www.vaultproject.io/docs/auth/kubernetes.html

export VAULT_ADDR="https://vault.company.tld"
export VAULT_AUTH_METHOD="kubernetes"
export VAULT_AUTH_KUBERNETES_ROLE="foo-app"

envexec --spec-file vaultsecrets.yaml /usr/bin/env

Acknowledgements

Inspired by:

About

A tool that executes any command or application provisioning its environment with variables from providers (like secrets from Vault).

Topics

docker kubernetes environment vault

Resources

Readme

License

Apache-2.0 license
Activity

Stars

11 stars

Watchers

3 watching

Forks

2 forks
Report repository

Releases 2

v0.2.0 Latest
Oct 21, 2023
+ 1 release

Contributors 2

  •  
  •  

Languages