bvis · February 4, 2025 16:57 · Mar 31, 2017 · Mar 31, 2017 · Mar 31, 2017
diff --git a/env_secrets_expand.sh b/env_secrets_expand.sh
@@ -2,7 +2,7 @@
 
 : ${ENV_SECRETS_DIR:=/run/secrets}
 
-function env_secret_debug()
+env_secret_debug()
 {
     if [ ! -z "$ENV_SECRETS_DEBUG" ]; then
         echo -e "\033[1m$@\033[0m"

diff --git a/README.md b/README.md
@@ -19,7 +19,7 @@ And nothing would happen. None of the variables would be modified when starting
 
 But if you define variables with the defined placeholder it will expand the value with the referred secret.
 
-Example
+### Example
 
 Create Secret
 ``` bash

diff --git a/README.md b/README.md
@@ -0,0 +1,73 @@
+# Variables by Secrets
+
+Sample script that allows you to define as environment variables the name of the docker secret that contains the secret value.
+It will be in charge of analyze all the environment variables searching for the placeholder to substitute the variable value
+by the secret.
+
+## Usage
+
+You can define the next environment variables:
+
+``` bash
+$ env | grep DB_
+DB_HOST=my-db-host
+DB_USER=my-db-user
+DB_PASS=my-db-pass
+```
+
+And nothing would happen. None of the variables would be modified when starting the container.
+
+But if you define variables with the defined placeholder it will expand the value with the referred secret.
+
+Example
+
+Create Secret
+``` bash
+echo "my-db-pass" | docker secret create secret-db-pass -
+```
+
+``` bash
+$ env | grep DB_
+DB_HOST=my-db-host
+DB_USER=my-db-user
+DB_PASS={{DOCKER-SECRET:secret-db-pass}}
+```
+
+When starting the script will search for the placeholder `{{DOCKER-SECRET:xxxx}}` on each
+environment variable and will substitute the value by the content of the secret `xxxx`,
+in this example it means to end up with:
+
+``` bash
+DB_HOST=my-db-host
+DB_USER=my-db-user
+DB_PASS=my-db-pass
+```
+
+### How to use it
+
+If you want to use this feature on any image just add the env_secrets_expand.sh
+file in your container entrypoint script and invoke it with `source env_secrets_expand.sh`
+
+### How to test this
+
+Build a sample image with the required dependency and enter into it:
+
+``` bash
+docker run --rm -v $PWD:/test -it alpine sh
+```
+
+Just emulate the creation of a secret and the example variables with the next commands:
+
+``` bash
+mkdir -p /run/secrets/
+echo "my-db-pass" > /run/secrets/secret-db-pass
+export DB_HOST=my-db-host
+export DB_USER=my-db-user
+export DB_PASS={{DOCKER-SECRET:secret-db-pass}}
+```
+
+Execute the script:
+
+``` bash
+ENV_SECRETS_DEBUG=true /test/env_secrets_expand.sh
+```
diff --git a/env_secrets_expand.sh b/env_secrets_expand.sh
@@ -0,0 +1,45 @@
+#!/bin/sh
+
+: ${ENV_SECRETS_DIR:=/run/secrets}
+
+function env_secret_debug()
+{
+    if [ ! -z "$ENV_SECRETS_DEBUG" ]; then
+        echo -e "\033[1m$@\033[0m"
+    fi
+}
+
+# usage: env_secret_expand VAR
+#    ie: env_secret_expand 'XYZ_DB_PASSWORD'
+# (will check for "$XYZ_DB_PASSWORD" variable value for a placeholder that defines the
+#  name of the docker secret to use instead of the original value. For example:
+# XYZ_DB_PASSWORD={{DOCKER-SECRET:my-db.secret}}
+env_secret_expand() {
+    var="$1"
+    eval val=\$$var
+    if secret_name=$(expr match "$val" "{{DOCKER-SECRET:\([^}]\+\)}}$"); then
+        secret="${ENV_SECRETS_DIR}/${secret_name}"
+        env_secret_debug "Secret file for $var: $secret"
+        if [ -f "$secret" ]; then
+            val=$(cat "${secret}")
+            export "$var"="$val"
+            env_secret_debug "Expanded variable: $var=$val"
+        else
+            env_secret_debug "Secret file does not exist! $secret"
+        fi
+    fi
+}
+
+env_secrets_expand() {
+    for env_var in $(printenv | cut -f1 -d"=")
+    do
+        env_secret_expand $env_var
+    done
+
+    if [ ! -z "$ENV_SECRETS_DEBUG" ]; then
+        echo -e "\n\033[1mExpanded environment variables\033[0m"
+        printenv
+    fi
+}
+
+env_secrets_expand