envexec helps to provision an application by taking values from sources like Vault and bringing them as environment variables.
- Out of process (no code dependency)
- Works with any app written in any language
- One small static binary (💙 Golang)
- Familiar configuration format, with versions
- No supervising, just replaces the process with
exec
- Simple Docker integration
The easiest way to embed envexec into your Docker image is to just copy the binary from the prebuilt image:
FROM alpine:3.18
COPY --from=hypnoglow/envexec:latest-scratch /envexec /usr/local/bin/envexec
ENTRYPOINT ["envexec", "--"]
CMD ["echo", "Hello from envexec!"]
An alternative approach is to build your image with envexec image as a base:
FROM hypnoglow/envexec:latest-alpine
ENTRYPOINT ["envexec", "--"]
CMD ["echo", "Hello from envexec!"]
NOTE: Using "latest" tags is not recommended. Prefer tagged versions.
See examples for more info.
To fetch secrets from Vault and export values as environment variables, you need to prepare a spec. Example:
apiVersion: envexec/v1alpha1
kind: VaultSecrets
secrets:
- path: secret/namespace/service/some
key: api_key
env: SOME_API_KEY
- path: secret/namespace/service/db
key: password
env: DB_PASSWORD
Store this spec in the file vaultsecrets.yaml
.
Next you need to prepare environment variables to authenticate in Vault. This depends on the Vault Auth Method. Lets consider the simplest token authentication method:
export VAULT_ADDR="https://vault.company.tld"
export VAULT_METHOD="token"
export VAULT_TOKEN="put-vault-token-here"
Now you just run your app through envexec:
envexec --spec-file vaultsecrets.yaml -- /usr/bin/env
See: https://www.vaultproject.io/docs/auth/token.html
export VAULT_ADDR="https://vault.company.tld"
export VAULT_METHOD="token"
export VAULT_TOKEN="put-vault-token-here"
envexec --spec-file vaultsecrets.yaml -- /usr/bin/env
See: https://www.vaultproject.io/docs/auth/kubernetes.html
export VAULT_ADDR="https://vault.company.tld"
export VAULT_AUTH_METHOD="kubernetes"
export VAULT_AUTH_KUBERNETES_ROLE="foo-app"
envexec --spec-file vaultsecrets.yaml /usr/bin/env
Inspired by: