Skip to content

Instantly share code, notes, and snippets.

@datatypevoid

datatypevoid/README.md

Forked from bvis/README.md
Created December 16, 2018 09:28
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save datatypevoid/d94b8adc016bdfa888b80576fa093abe to your computer and use it in GitHub Desktop.
Save datatypevoid/d94b8adc016bdfa888b80576fa093abe to your computer and use it in GitHub Desktop.
Download ZIP
Docker Env Vars expanded with secrets content
Raw
README.md

Variables by Secrets

Sample script that allows you to define as environment variables the name of the docker secret that contains the secret value. It will be in charge of analyze all the environment variables searching for the placeholder to substitute the variable value by the secret.

Usage

You can define the next environment variables:

$ env | grep DB_
DB_HOST=my-db-host
DB_USER=my-db-user
DB_PASS=my-db-pass

And nothing would happen. None of the variables would be modified when starting the container.

But if you define variables with the defined placeholder it will expand the value with the referred secret.

Example

Create Secret

echo "my-db-pass" | docker secret create secret-db-pass -
$ env | grep DB_
DB_HOST=my-db-host
DB_USER=my-db-user
DB_PASS={{DOCKER-SECRET:secret-db-pass}}

When starting the script will search for the placeholder {{DOCKER-SECRET:xxxx}} on each environment variable and will substitute the value by the content of the secret xxxx, in this example it means to end up with:

DB_HOST=my-db-host
DB_USER=my-db-user
DB_PASS=my-db-pass

How to use it

If you want to use this feature on any image just add the env_secrets_expand.sh file in your container entrypoint script and invoke it with source env_secrets_expand.sh

How to test this

Build a sample image with the required dependency and enter into it:

docker run --rm -v $PWD:/test -it alpine sh

Just emulate the creation of a secret and the example variables with the next commands:

mkdir -p /run/secrets/
echo "my-db-pass" > /run/secrets/secret-db-pass
export DB_HOST=my-db-host
export DB_USER=my-db-user
export DB_PASS={{DOCKER-SECRET:secret-db-pass}}

Execute the script:

ENV_SECRETS_DEBUG=true /test/env_secrets_expand.sh
Raw
env_secrets_expand.sh
#!/bin/sh
: ${ENV_SECRETS_DIR:=/run/secrets}
env_secret_debug()
{
if [ ! -z "$ENV_SECRETS_DEBUG" ]; then
echo -e "\033[1m$@\033[0m"
fi
}
# usage: env_secret_expand VAR
# ie: env_secret_expand 'XYZ_DB_PASSWORD'
# (will check for "$XYZ_DB_PASSWORD" variable value for a placeholder that defines the
# name of the docker secret to use instead of the original value. For example:
# XYZ_DB_PASSWORD={{DOCKER-SECRET:my-db.secret}}
env_secret_expand() {
var="$1"
eval val=\$$var
if secret_name=$(expr match "$val" "{{DOCKER-SECRET:\([^}]\+\)}}$"); then
secret="${ENV_SECRETS_DIR}/${secret_name}"
env_secret_debug "Secret file for $var: $secret"
if [ -f "$secret" ]; then
val=$(cat "${secret}")
export "$var"="$val"
env_secret_debug "Expanded variable: $var=$val"
else
env_secret_debug "Secret file does not exist! $secret"
fi
fi
}
env_secrets_expand() {
for env_var in $(printenv | cut -f1 -d"=")
do
env_secret_expand $env_var
done
if [ ! -z "$ENV_SECRETS_DEBUG" ]; then
echo -e "\n\033[1mExpanded environment variables\033[0m"
printenv
fi
}
env_secrets_expand
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment