@@ -19,22 +19,38 @@ ENTRYPOINT [ "/entrypoint" ]
1919
2020## Usage
2121
22- To load a environment variables, you'll need to set a ` SERVICE_ENV ` environment
23- variable to ` prod ` , ` stage ` , ` dev ` , or ` peer ` . The following paths get loaded as
24- environment variables, but some environments may change this. You can view exact
25- paths used in each template.
22+ To load values from Consul's KV store, you will need to set ` CONSUL_ADDR ` . It
23+ will load keys from the following paths, using the basename as the variable name:
2624
27- * ` global/env_vars/* ` ( _ Consul _ )
28- * ` services /${SERVICE_NAME }/env_vars/*` ( _ Consul _ )
29- * ` secrets/global /env_vars/*` ( _ Vault _ using the ` value ` key)
30- * ` services /${SERVICE_NAME}/env_vars/*` ( _ Vault _ using the ` value ` key)
25+ * ` global/env_vars/* `
26+ * ` global /${SERVICE_ENV }/env_vars/*`
27+ * ` services/${SERVICE_NAME} /env_vars/*`
28+ * ` service /${SERVICE_NAME}/${SERVICE_ENV}/ env_vars/*`
3129
32- To load values from Consul, you'll need to make sure ` CONSUL_ADDR ` is accessible
33- from your Docker container .
30+ For example, ` consul kv put services/foo/env_vars/API_SERVICE_URI https://api.priv/v1 `
31+ will load an environment variable ` API_SERVICE_URI=https://api.priv/v1 ` .
3432
35- To load values from Vault, you'll need to make sure both ` CONSUL_ADDR ` and ` VAULT_ADDR `
36- are accessible. You'll also need to authenticate with Vault in one of the following
37- ways:
33+ Any environment variables set previous to calling the script, will not change.
34+ Paths later in the list will overwrite any previous values. For example,
35+ ` global/env_vars/FOO ` will be overwritten by ` service/my-service/env_vars/FOO ` .
36+
37+ To load values from Vault, you will need to set ` VAULT_ADDR ` and authenticate with
38+ Vault (see below). Values from vault will use the ` value ` key as the variable value.
39+ Values are read from the following paths:
40+
41+ * ` secret/global/env_vars/* ` (in ` stage ` or ` prod ` )
42+ * ` secret/global/${SERVICE_ENV}/env_vars/* `
43+ * ` secret/services/${SERVICE_NAME}/env_vars/* ` (in ` stage ` or ` prod ` )
44+ * ` secret/service/${SERVICE_NAME}/${SERVICE_ENV}/env_vars/* `
45+
46+ For example, ` vault write secret/foo/env_vars/API_KEY value=secretkey ` will load
47+ an environment variable ` API_KEY=secretkey ` . Values from Vault will overrwrite
48+ Consul values, but follow the same rules otherwise.
49+
50+ <details >
51+ <summary >Vault Authentication</summary >
52+
53+ You can authenticate with Vault in one of the following ways:
3854
3955* Set ` VAULT_TOKEN `
4056* Set ` ENCRYPTED_VAULT_TOKEN ` with a value encrypted by AWS KMS
4359* If running on AWS ECS or Lambda, use the AWS IAM auth method
4460 * If Vault role does not match IAM role, set with ` VAULT_ROLE `
4561
62+ </details >
63+
4664## Development
4765
4866You'll need to install the following:
@@ -61,5 +79,5 @@ or [commitizen](https://github.com/commitizen-tools/commitizen#installation).
6179
6280## Creating a Release
6381
64- To create a release, create a tag that follows [ semver] ( https://semver.org/ ) and
65- a GitHub Action workflow will take care of creating the release.
82+ To create a release, create a tag that follows [ semver] ( https://semver.org/ ) . A
83+ GitHub Action workflow will take care of creating the release.
0 commit comments