Skip to content
This repository was archived by the owner on Jul 23, 2024. It is now read-only.
/ envexec Public archive

A tool that executes any command or application provisioning its environment with variables from providers (like secrets from Vault).

License

Apache-2.0 license
11 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

hypnoglow/envexec

BranchesTags

Repository files navigation

envexec

main GitHub license

envexec helps to provision an application by taking values from sources like Vault and bringing them as environment variables.

Status

Important

The project has been discontinued.

Recommended replacements:

Features

  • Out of process (no code dependency)
  • Works with any app written in any language
  • One small static binary (💙 Golang)
  • Familiar configuration format, with versions
  • No supervising, just replaces the process with exec
  • Simple Docker integration

Usage

Docker

The easiest way to embed envexec into your Docker image is to just copy the binary from the prebuilt image:

FROM alpine:3.19

COPY --from=hypnoglow/envexec:latest-scratch /envexec /usr/local/bin/envexec

ENTRYPOINT ["envexec", "--"]
CMD ["echo", "Hello from envexec!"]

An alternative approach is to build your image with envexec image as a base:

FROM hypnoglow/envexec:latest-alpine

ENTRYPOINT ["envexec", "--"]
CMD ["echo", "Hello from envexec!"]

NOTE: Using "latest" tags is not recommended. Prefer tagged versions.

See examples for more info.

Providers

Vault

To fetch secrets from Vault and export values as environment variables, you need to prepare a spec. Example:

apiVersion: envexec/v1alpha1
kind: VaultSecrets
secrets:
  - path: secret/namespace/service/some
    key: api_key
    env: SOME_API_KEY
  - path: secret/namespace/service/db
    key: password
    env: DB_PASSWORD

Store this spec in the file vaultsecrets.yaml.

Next you need to prepare environment variables to authenticate in Vault. This depends on the Vault Auth Method. Lets consider the simplest token authentication method:

export VAULT_ADDR="https://vault.company.tld"
export VAULT_METHOD="token"
export VAULT_TOKEN="put-vault-token-here"

Now you just run your app through envexec:

envexec --spec-file vaultsecrets.yaml -- /usr/bin/env

Auth Methods

Token

See: https://www.vaultproject.io/docs/auth/token.html

export VAULT_ADDR="https://vault.company.tld"
export VAULT_METHOD="token"
export VAULT_TOKEN="put-vault-token-here"

envexec --spec-file vaultsecrets.yaml -- /usr/bin/env
Kubernetes

See: https://www.vaultproject.io/docs/auth/kubernetes.html

export VAULT_ADDR="https://vault.company.tld"
export VAULT_AUTH_METHOD="kubernetes"
export VAULT_AUTH_KUBERNETES_ROLE="foo-app"

envexec --spec-file vaultsecrets.yaml /usr/bin/env

Acknowledgements

Inspired by:

About

A tool that executes any command or application provisioning its environment with variables from providers (like secrets from Vault).

Topics

docker kubernetes environment vault

Resources

Readme

License

Apache-2.0 license
Activity

Stars

11 stars

Watchers

1 watching

Forks

2 forks
Report repository

Releases 2

v0.2.0 Latest
Oct 21, 2023
+ 1 release

Contributors 2

  •  
  •  

Languages