This tool is intended to be used on the start up of a docker container to
securely set environment variables on startup of a container. The included
secure-entrypoint.sh
script is intended to be used along with the
secure-environment
to provide this functionality on docker containers. At
this time, this is intended to work with convox
specifically.
The docker-entrypoint.sh
script acts as an entrypoint for the docker
container. The script then calls the secure-environment
binary which will
then write a sourceable shell script to stdout that contains export
ed
environment variables.
To use this with convox, you need to set the label convox.secure-env
to true
on the services you intend to secure.
On your docker container you will want to make sure that the
secure-entrypoint.sh
in the scripts folder of this repository and the latest
linux binary of the secure-environment
executable are copied into your docker
container to the following locations:
secure-environment -> /usr/sbin/secure-environment
secure-entrypoint -> /usr/sbin/secure-entrypoint.sh
If you know what you're doing you can update the secure-entrypoint.sh
file so you can change the location of these files.
Finally, you need to set the ENTRYPOINT
on your dockerfile to this:
ENTRYPOINT ["/usr/sbin/secure-entrypoint.sh"]
If you're using this with tini like we do at Virtru, then you would do this:
ENTRYPOINT ["/usr/local/bin/tini", "--", "/usr/sbin/secure-entrypoint.sh"]