Skip to content

springload/akv-entrypoint

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
.github/workflows
.github/workflows
 
 
cmd
cmd
 
 
lib
lib
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

Why would I use it?

There are multiple products on Azure Cloud that allow running containers. The problem is they're all configured differently.

  1. Web Apps for Containers have full support for referencing secrets from Azure Key Vault.
  2. Azure Container Apps will have full support for referencing secrets at some point (this functionality is in preview as of Aug 2023) but at the moment it's only ACA-native secrets.
  3. Azure Container Instances don't support KeyVault at all and have their own secrets.

For your workload you might have to use several products, i.e. Web Apps only support applications with web endpoints. For workloads without a web endpoint you might want to use ACA. One-off jobs in ACA are in preview (as of Aug 2023) so you might have to use ACI.

This middleware solves that problem. It runs as an entrypoint to your container application. It fetches all (or specified) secrets from the specified Azure KeyVault and presents them as environment variables to the program.

Authentication takes whatever azidentity.NewDefaultAzureCredential can, see the Go SDK docs, but generally it should just work.

Note: for ACA when using UAI, you have to specify AZURE_CLIENT_ID as per microsoft/azure-container-apps#325

It works the following way:

  1. If AKV_ENTRYPOINT_SECRET_NAMES env var is not set list all secrets from the KeyVault
  2. Fetche the secrets in the Azure listing order.
  3. If a secret has application/json content-type, then treat it as structure and merge it with the resulting structure.
  4. Otherwise, take the secret name as the env var name and take the value.
  5. Merging overrides the previous values.

When AKV_ENTRYPOINT_SECRET_NAMES is set akv-entrypoint only fetches the specified secret names, which are comma-separated. This way it can't know in advance secrets content-type so it must be hinted if it should treat it as a json, for example:

AKV_ENTRYPOINT_SECRET_NAMES=json:secret1,secret2

It'll treat secret1 as JSON and secret2 as plain text.

Note: KeyVault secret names can't have underscores so it's normal to have dashes in them as separators. At the same time environment variables in Linux can't have dashes. So the middleware will replace all dashes with underscores for all secret names, i.e. if you have a KeyVault secret mega-secret the environment name you'll get will become mega_secret to conform to the spec.

Examples

CLI usage for testing

$akv-entrypoint -d print -n your-keyvault # to see env vars printed in JSON
$akv-entrypoint -d run -n your-keyvault -- your-app # to run the app

Docker entrypoint

# somewhere above
FROM ghcr.io/springload/akv-entrypoint:latest as akv-entrypoint
...
# later on in your app stage
COPY --from=akv-entrypoint /usr/bin/akv-entrypoint /usr/bin/akv-entrypoint
...
# at the end of your production stage
ENTRYPOINT ["/usr/bin/akv-entrypoint", "run", "-n", "your-keyvault",  "--"]
CMD ["/usr/local/bin/gunicorn", "--config", "/app/docker/gunicorn.py", "app.wsgi" ]

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

7 tags

Packages

 
 
 

Languages