Load values from Consul and Vault as environment variables.
Download the latest release,
add it to your image, and set it as your ENTRYPOINT
.
If you are using Buildkit you can use the TARGETARCH
arg to ADD
the correct
architecture.
ARG TARGETARCH
ADD --chmod=755 https://github.com/articulate/docker-bootstrap/releases/latest/download/docker-bootstrap_linux_${TARGETARCH} /entrypoint
ENTRYPOINT [ "/entrypoint" ]
To load values from Consul's KV store, you will need to set CONSUL_ADDR
. It
will load keys from the following paths, using the basename as the variable name:
global/env_vars/*
global/${SERVICE_ENV}/env_vars/*
services/${SERVICE_NAME}/env_vars/*
service/${SERVICE_NAME}/${SERVICE_ENV}/env_vars/*
For example, consul kv put services/foo/env_vars/API_SERVICE_URI https://api.priv/v1
will load an environment variable API_SERVICE_URI=https://api.priv/v1
.
Any environment variables set previous to calling the script, will not change.
Paths later in the list will overwrite any previous values. For example,
global/env_vars/FOO
will be overwritten by service/my-service/env_vars/FOO
.
To load values from Vault, you will need to set VAULT_ADDR
and authenticate with
Vault (see below). Values from vault will use the value
key as the variable value.
Values are read from the following paths:
secret/global/env_vars/*
(instage
orprod
)secret/global/${SERVICE_ENV}/env_vars/*
secret/services/${SERVICE_NAME}/env_vars/*
(instage
orprod
)secret/service/${SERVICE_NAME}/${SERVICE_ENV}/env_vars/*
For example, vault write secret/foo/env_vars/API_KEY value=secretkey
will load
an environment variable API_KEY=secretkey
. Values from Vault will overrwrite
Consul values, but follow the same rules otherwise.
Vault Authentication
You can authenticate with Vault in one of the following ways:
- Set
VAULT_TOKEN
- Set
ENCRYPTED_VAULT_TOKEN
with a value encrypted by AWS KMS- You'll need to make sure the container has permissions for the default KMS key
- If running on Kubernetes, use the Kubernetes auth method in Vault
- If running on AWS ECS or Lambda, use the AWS IAM auth method
- If Vault role does not match IAM role, set with
VAULT_ROLE
- If Vault role does not match IAM role, set with
You'll need to install the following:
- Go 1.20
- golangci-lint (
brew install golangci-lint
) - pre-commit (
brew install pre-commit
) - GoReleaser (optional)
Setup the build environment with make init
. Run tests with make test
and lint
code with make lint
.
When committing, you'll need to follow the Conventional Commits format. You can install a tool like git-cz or commitizen.
To create a release, create a tag that follows semver. A GitHub Action workflow will take care of creating the release.