Skip to content

Instantly share code, notes, and snippets.

@letientai299
Forked from bvis/README.md
Created September 28, 2017 16:53
Show Gist options
  • Save letientai299/58a4ccaac981f20c012d8c845d276977 to your computer and use it in GitHub Desktop.
Save letientai299/58a4ccaac981f20c012d8c845d276977 to your computer and use it in GitHub Desktop.
Docker Env Vars expanded with secrets content - fork to make the placeholder works in docker cloud yml file

Variables by Secrets

Sample script that allows you to define as environment variables the name of the docker secret that contains the secret value. It will be in charge of analyze all the environment variables searching for the placeholder to substitute the variable value by the secret.

Usage

You can define the next environment variables:

$ env | grep DB_
DB_HOST=my-db-host
DB_USER=my-db-user
DB_PASS=my-db-pass

And nothing would happen. None of the variables would be modified when starting the container.

But if you define variables with the defined placeholder it will expand the value with the referred secret.

Example

Create Secret

echo "my-db-pass" | docker secret create secret-db-pass -
$ env | grep DB_
DB_HOST=my-db-host
DB_USER=my-db-user
DB_PASS={{DOCKER-SECRET:secret-db-pass}}

When starting the script will search for the placeholder {{DOCKER-SECRET:xxxx}} on each environment variable and will substitute the value by the content of the secret xxxx, in this example it means to end up with:

DB_HOST=my-db-host
DB_USER=my-db-user
DB_PASS=my-db-pass

How to use it

If you want to use this feature on any image just add the env_secrets_expand.sh file in your container entrypoint script and invoke it with source env_secrets_expand.sh

How to test this

Build a sample image with the required dependency and enter into it:

docker run --rm -v $PWD:/test -it alpine sh

Just emulate the creation of a secret and the example variables with the next commands:

mkdir -p /run/secrets/
echo "my-db-pass" > /run/secrets/secret-db-pass
export DB_HOST=my-db-host
export DB_USER=my-db-user
export DB_PASS={{DOCKER-SECRET:secret-db-pass}}

Execute the script:

ENV_SECRETS_DEBUG=true /test/env_secrets_expand.sh
#!/bin/sh
: ${ENV_SECRETS_DIR:=/run/secrets}
env_secret_debug()
{
if [ ! -z "$ENV_SECRETS_DEBUG" ]; then
echo -e "\033[1m$@\033[0m"
fi
}
# usage: env_secret_expand VAR
# ie: env_secret_expand 'XYZ_DB_PASSWORD'
# (will check for "$XYZ_DB_PASSWORD" variable value for a placeholder that defines the
# name of the docker secret to use instead of the original value. For example:
# XYZ_DB_PASSWORD={{DOCKER-SECRET:my-db.secret}}
env_secret_expand() {
var="$1"
eval val=\$$var
if secret_name=$(expr match "$val" "DOCKER-SECRET:\([^}]\+\)$"); then
secret="${ENV_SECRETS_DIR}/${secret_name}"
env_secret_debug "Secret file for $var: $secret"
if [ -f "$secret" ]; then
val=$(cat "${secret}")
export "$var"="$val"
env_secret_debug "Expanded variable: $var=$val"
else
env_secret_debug "Secret file does not exist! $secret"
fi
fi
}
env_secrets_expand() {
for env_var in $(printenv | cut -f1 -d"=")
do
env_secret_expand $env_var
done
if [ ! -z "$ENV_SECRETS_DEBUG" ]; then
echo -e "\n\033[1mExpanded environment variables\033[0m"
printenv
fi
}
env_secrets_expand
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment