commit dea0f71a382eaf5eb3ae30588a93724fd1c19a1e Author: Vitalii Kuznetsov Date: Thu Jan 22 16:11:35 2026 +0300 Add initial project files including LICENSE, README, example Docker Compose, and infisical-init script diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..445dc44 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2026 Infisical Painless Integration Contributors + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..983d198 --- /dev/null +++ b/README.md @@ -0,0 +1,87 @@ +# Infisical Painless Integration + +This repository provides a simple script to integrate Infisical secrets management into your existing Docker Swarm or Docker Compose services without modifying your application code. + +## Overview + +The `infisical-init` script automatically installs the Infisical CLI, authenticates with your Infisical instance, and either exports secrets to a file or runs your application command with secrets injected as environment variables. + +## Prerequisites + +- An Infisical account and project +- Docker and Docker Compose installed +- Required environment variables set (see below) + +## Environment Variables + +The following environment variables must be set: + +- `INFISICAL_API_URL`: URL of your Infisical API instance +- `INFISICAL_CLIENT_ID`: Client ID for authentication +- `INFISICAL_CLIENT_SECRET`: Client secret for authentication +- `INFISICAL_PROJECT_ID`: ID of your Infisical project +- `INFISICAL_ENVIRONMENT`: Environment name (e.g., "dev", "prod") + +## Usage + +1. Update your stack file to match the example in `compose.example.yml` +2. Set the required environment variables +3. Mount the `infisical-init` script as a volume +4. Configure your service's entrypoint to run the script + +### Example Docker Compose + +```yaml +services: + your-app: + image: your-image + volumes: + - ./infisical-init:/infisical-init.sh + environment: + INFISICAL_CLIENT_ID: ${INFISICAL_CLIENT_ID} + INFISICAL_CLIENT_SECRET: ${INFISICAL_CLIENT_SECRET} + INFISICAL_API_URL: ${INFISICAL_API_URL} + INFISICAL_ENVIRONMENT: ${INFISICAL_ENVIRONMENT} + INFISICAL_PROJECT_ID: ${INFISICAL_PROJECT_ID} + entrypoint: + - sh + - -c + - | + chmod +x /infisical-init.sh + /infisical-init.sh run "your-command-here" +``` + +### Script Modes + +The script supports two modes: + +- `file `: Exports secrets to a file at the specified path +- `run `: Runs the specified command with secrets injected as environment variables + +### Supported Images + +The script automatically detects the package manager and installs Infisical CLI: + +- Alpine-based images (uses `apk`) +- Debian/Ubuntu-based images (uses `apt-get`) + +## How It Works + +1. Detects the package manager and installs Infisical CLI if not present +2. Validates all required environment variables +3. Authenticates with Infisical using universal auth +4. Either exports secrets or runs your command with secrets available + +## Security Notes + +- Ensure environment variables are set securely (e.g., via `.env` files or secret management) +- The script handles authentication automatically and securely +- Secrets are not persisted in the container after execution + +## Contributing + +Feel free to submit issues and pull requests to improve this integration script. + +## License + +This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details. \ No newline at end of file diff --git a/compose.example.yml b/compose.example.yml new file mode 100644 index 0000000..687a96d --- /dev/null +++ b/compose.example.yml @@ -0,0 +1,38 @@ +services: + app-debian: + image: debian:stable-slim + volumes: + - ./infisical-init:/infisical-init.sh + environment: + INFISICAL_CLIENT_ID: ${INFISICAL_CLIENT_ID} + INFISICAL_CLIENT_SECRET: ${INFISICAL_CLIENT_SECRET} + INFISICAL_API_URL: ${INFISICAL_API_URL} + INFISICAL_ENVIRONMENT: ${INFISICAL_ENVIRONMENT} + INFISICAL_PROJECT_ID: ${INFISICAL_PROJECT_ID} + entrypoint: + - sh + - -c + - | + chmod +x /infisical-init.sh + /infisical-init.sh run "env" # Using with command + /infisical-init.sh file /tmp/.env # Using with file + cat /tmp/.env + app-alpine: + image: alpine:latest + volumes: + - ./infisical-init:/infisical-init.sh + environment: + INFISICAL_CLIENT_ID: ${INFISICAL_CLIENT_ID} + INFISICAL_CLIENT_SECRET: ${INFISICAL_CLIENT_SECRET} + INFISICAL_API_URL: ${INFISICAL_API_URL} + INFISICAL_ENVIRONMENT: ${INFISICAL_ENVIRONMENT} + INFISICAL_PROJECT_ID: ${INFISICAL_PROJECT_ID} + entrypoint: + - sh + - -c + - | + chmod +x /infisical-init.sh + /infisical-init.sh run "env" # Using with command + /infisical-init.sh file /tmp/.env # Using with file + cat /tmp/.env + diff --git a/infisical-init b/infisical-init new file mode 100644 index 0000000..8e9f5f1 --- /dev/null +++ b/infisical-init @@ -0,0 +1,37 @@ +if [ -n "$(which apk)" ]; then + if [ -z "$(which infisical)" ]; then + apk update + apk add bash curl + curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.alpine.sh' | bash + apk add infisical + fi; +elif [ -n "$(which apt-get)" ]; then + if [ -z "$(which infisical)" ]; then + apt-get update && apt-get install -y curl + curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash + apt-get install infisical -y + fi; +else + echo "Unsupported package manager. Exiting." + exit 1 +fi + +missing="" +[ -z "$INFISICAL_API_URL" ] && missing="$missing INFISICAL_API_URL" +[ -z "$INFISICAL_CLIENT_ID" ] && missing="$missing INFISICAL_CLIENT_ID" +[ -z "$INFISICAL_CLIENT_SECRET" ] && missing="$missing INFISICAL_CLIENT_SECRET" +[ -z "$INFISICAL_PROJECT_ID" ] && missing="$missing INFISICAL_PROJECT_ID" +[ -z "$INFISICAL_ENVIRONMENT" ] && missing="$missing INFISICAL_ENVIRONMENT" +if [ -n "$missing" ]; then + echo "One or more required environment variables are missing:$missing. Exiting." + exit 1 +fi +export INFISICAL_TOKEN=$(infisical login --method=universal-auth --client-id=$INFISICAL_CLIENT_ID --client-secret=$INFISICAL_CLIENT_SECRET --silent --plain) +if [ "$1" = "file" ]; then + infisical export --projectId=$INFISICAL_PROJECT_ID --env=$INFISICAL_ENVIRONMENT > $2 +elif [ "$1" = "run" ]; then +infisical run --projectId=$INFISICAL_PROJECT_ID --env=$INFISICAL_ENVIRONMENT -- $2 +else + echo "Invalid argument. Use 'file' or 'run'." + exit 1 +fi \ No newline at end of file