How to inject env variables into Init Bundle
Aidbox provides Init Bundle functionality to create configuration resources on its start. However, Aidbox load Init Bundle content as is, so it is not possible to inject secrets or other environment variables in it.
To overcome this limitation, we can use third-party reliable tools like envsubst and sed to inject secrets into Init Bundle. You can add following instruction as a step to your CI pipeline:
Let's say we have Aidbox TokenIntrospector resource in our Init Bundle and we have to set different values for iss and jwks_uri parameters on different environments. We need to prepare init-bundle.json.template file:
{
"type": "batch",
"entry": [
{
"request": {
"method": "PUT",
"url": "/TokenIntrospector/keycloak"
},
"resource":
{
"resourceType": "TokenIntrospector",
"id": "external-auth-server",
"type": "jwt",
"jwt": {
"iss": "${AUTH_SERVER_URL}"
},
"jwks_uri": "${AUTH_SERVER_URL}/.well-known/jwks.json"
}
}
]
}
Please note that we use ${AUTH_SERVER_URL} placeholder for the jwt.iss and jwks_uri parameters. This placeholder will be replaced with the actual value on CI.
Dynamically template init bundle in Docker Compose
See this example . This example demonstrates how to dynamically template Aidbox init bundles using environment variables in Docker Compose by overriding the container entrypoint.
Using envsubst
envsubst is a tiny GNU gettext utility that scans a text file for shell-style variables like ${VAR} and replaces them with the values currently set in the process environment.
- 1.Export all environment variables that you need to inject into Init Bundle:
export AUTH_SERVER_URL=https://auth.example.com
- 2.Run
envsubstcommand to inject environment variables intoinit-bundle.json.templatefile:
envsubst < init-bundle.json.template > init-bundle.json
- 3.Use
init-bundle.jsonfile in your CI pipeline.
init-bundle.json file content will be:
{
"type": "batch",
"entry": [
{
"request": {
"method": "PUT",
"url": "/TokenIntrospector/keycloak"
},
"resource": {
"resourceType": "TokenIntrospector",
"id": "external-auth-server",
"type": "jwt",
"jwt": {
"iss": "https://auth.example.com"
},
"jwks_uri": "https://auth.example.com/.well-known/jwks.json"
}
}
]
}
Aidbox envs:
...
BOX_INIT_BUNDLE: file:///init-bundle.json
...
Using sed
sed – the stream editor that performs scripted text transformations (substitution, insertion, deletion, etc.)
- 1.Export all environment variables that you need to inject into Init Bundle:
export AUTH_SERVER_URL=https://auth.example.com
- 2.Run
sedcommand to inject environment variables intoinit-bundle.json.templatefile:
sed -e "s|\${AUTH_SERVER_URL}|$AUTH_SERVER_URL|g" \
init-bundle.json.template > init-bundle.json
- 3.Use
init-bundle.jsonfile in your CI pipeline.
init-bundle.json file content will be:
{
"type": "batch",
"entry": [
{
"request": {
"method": "PUT",
"url": "/TokenIntrospector/keycloak"
},
"resource": {
"resourceType": "TokenIntrospector",
"id": "external-auth-server",
"type": "jwt",
"jwt": {
"iss": "https://auth.example.com"
},
"jwks_uri": "https://auth.example.com/.well-known/jwks.json"
}
}
]
}
Aidbox envs:
...
BOX_INIT_BUNDLE: file:///init-bundle.json
...
CI step example
GitHub Actions step example with envsubst command:
- name: Fill init bundle template
run: |
echo "Populating auth server value"
envsubst < init-bundle.json.template > init-bundle.json
env:
AUTH_SERVER_URL: ${{ secrets.AUTH_SERVER_URL }}