summon icon indicating copy to clipboard operation
summon copied to clipboard

Published 20 hours ago verified publisher icon cyberark

Inject summon secrets into docker containers using --env

Open doodlesbykumbi opened this issue 4 years ago • 2 comments

Is your feature request related to a problem? Please describe

Though @SUMMONENVFILE has been useful until now it has some shortcomings

  • Still breaks on multiline secret value
  • Doesn’t support the !file tag

A better approach would be something like @SUMMONDOCKEROPTS , whose usage would look like this summon docker run @SUMMONDOCKEROPTS myorg/myimage It would

  1. Add -e VAR_NAME for all the secrets injected by summon ~2. Add -v FILE_PATH:FILE_PATH for all the secrets that are managed as files by summon~ ~3. The benefit of (2) is that summon is still managing these files so if it dies then those files are gone.~

Describe the solution you would like

See above^

Describe alternatives you have considered

  • Use @SUMMONENVFILE which has many limitations
  • Role your own bash script but miss out on the rich context that running inside Summon provides. https://github.com/cyberark/summon/issues/194#issuecomment-767139871

Additional context

Add any other context information about the feature request here.

doodlesbykumbi avatar Jan 25 '21 21:01 doodlesbykumbi

Lifting environment variables from summon into your docker container has never been easier. It even works with !file .

function summon_envvars_docker_opts() {
( set -euo pipefail
  local secretsyml="${1:-secrets.yml}"
  if ! cat ${secretsyml} | sed '/^$/d' | { grep '^[^#]' || true; } | sed -E 's/^([^:]*)?.*/\1/' | xargs -n 1 sh -c 'printenv $1 > /dev/null' _; then
    echo "failed: ensure that '${secretsyml}' exists and that this script is running within a summon context i.e. summon [this script]" >&2
    exit 1
  fi

  # create the options for the environment variables listed in secrets.yml
  envs="$(cat ${secretsyml}| sed '/^$/d' | { grep '^[^#]' || true; } | sed -E 's/^([^:]*)?.*/\1/' | xargs printf -- '-e %s ')"

  # create the options for the volume mounts for secrets that use the !file tag in secrets.yml
  volumemounts="$(cat ${secretsyml} | { grep '^[^#]' || true; } | { grep '![^ ]*file' || true; } | sed '/^$/d' |  sed -E 's/^([^:]*)?.*/\1/' | xargs -n 1 sh -c '[ "$#" -gt 0 ] && printf "%s" "-v $(printenv $1):$(printenv $1) "' _)"

  echo "${envs}" "${volumemounts}"
)
}

docker run $(summon_envvars_docker_opts) ...

If the above is ./script.sh , then simply summon ./script.sh

doodlesbykumbi avatar Jan 25 '21 21:01 doodlesbykumbi

Supporting !file is challenging.

  1. You can't predict if local volumes can be mounted into the Docker container
  2. File paths on the host can look different from those on those inside a container, e.g. Windows container <-> Linux host, or vice-versa.
  3. docker run is terminated when run with the -d flag. Summon will delete tmpfiles as soon as that's done.
  4. ... etc. it gets complicated and also it's not the core use case.

doodlesbykumbi avatar Jan 25 '21 22:01 doodlesbykumbi