In some container environments, secret sources are not always readily available or secure. Serverless options such as GCP's Cloud Run require your application to directly interface with Secret Manager or another source. vals-entrypoint is intended to serve as an exec wrapper for your applications to launch in environments where secret material is to be retrieved by using ambient credentials such as a GCE service account.

vals-entrypoint supports substituting secrets into environment variables, as well as writing secrets to the filesystem. To do this, it relies on vals to provide integrations with major cloud providers and on-prem secret stores.

• All environment variables containing vars secretrefs will be evaluated
• VARS_FILES environment variable can be set to a list of file/secretref pairs to write the corresponding secretref to a file
• --vars-files flag can be set to a similar list of file/secretref pairs to be written out

Given an existing secret named mysecret:

mykey: myvalue

Load entire secret into variable FOO

FOO="ref+gcpsecrets://myproject/mysecret" vars-entrypoint exec -- /bin/sh -c 'echo ${FOO}'
mykey: myvalue

Load subkey into variable FOO

FOO="ref+gcpsecrets://myproject/mysecret#/mykey" vars-entrypoint exec -- /bin/sh -c 'echo ${FOO}'
myvalue

Write entire secret into config using VARS_FILES

VARS_FILES="/tmp/config.yaml:ref+gcpsecrets://myproject/mysecret" vars-entrypoint exec cat /tmp/config.yaml
mykey: myvalue

Write entire secret into file using --vars-files

vars-entrypoint --vars-files="/tmp/config.yaml:ref+gcpsecrets://myproject/mysecret" exec cat /tmp/config.yaml
mykey: myvalue

An easy way to create a container image with vals-entrypoint is to build an image using pomerium/vals-entrypoint as a named layer and copy the binary in:

FROM pomerium/vals-entrypoint as base

FROM pomerium/pomerium:latest
COPY --from=base /bin/vals-entrypoint /bin/vals-entrypoint

ENTRYPOINT ["/bin/vals-entrypoint"]
CMD ["exec","--","/bin/pomerium","-config","/pomerium/config.yaml"]