{"id":37144148,"url":"https://github.com/drillbits/konfig","last_synced_at":"2026-01-14T16:55:37.182Z","repository":{"id":57523047,"uuid":"253964685","full_name":"drillbits/konfig","owner":"drillbits","description":null,"archived":false,"fork":true,"pushed_at":"2024-02-29T00:44:26.000Z","size":2103,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2024-06-20T12:07:44.080Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":"kelseyhightower/konfig","license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/drillbits.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-04-08T02:26:14.000Z","updated_at":"2020-04-08T02:26:15.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/drillbits/konfig","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/drillbits/konfig","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/drillbits%2Fkonfig","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/drillbits%2Fkonfig/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/drillbits%2Fkonfig/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/drillbits%2Fkonfig/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/drillbits","download_url":"https://codeload.github.com/drillbits/konfig/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/drillbits%2Fkonfig/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28427123,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T16:38:47.836Z","status":"ssl_error","status_checked_at":"2026-01-14T16:34:59.695Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-01-14T16:55:36.377Z","updated_at":"2026-01-14T16:55:37.172Z","avatar_url":"https://github.com/drillbits.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# konfig\n\nkonfig enables serverless workloads running on GCP to reference Kubernetes configmaps and secrets stored in GKE clusters at runtime. konfig currently supports Cloud Run and Cloud Functions workloads.\n\n## Usage\n\nkonfig is enabled via a single import statement:\n\n```\nimport (\n    ...\n\n    _ \"github.com/kelseyhightower/konfig\"\n)\n```\n\n## How Does it Work\n\nThe side effect of importing the `konfig` library will cause konfig to:\n\n* call the Cloud Run or Cloud Functions API to get a list of env vars to process. We avoid scanning the running environment as any library can set env vars before konfig runs.\n* retrieve the GKE endpoint based on the secret or configmap reference\n* retrieve configmap and secret keys from the GKE cluster using the service account provided to the Cloud Run or Cloud Function instance.\n* substitute the reference string with the value of the configmap or secret key.\n\nReferences to Kubernetes configmaps and secrets can be made when defining Cloud Run and Cloud Functions environment variables using the [reference syntax](docs/reference-syntax.md).\n\n## Tutorials\n\nA GKE cluster is used to store configmaps and secrets referenced by Cloud Run and Cloud Function workloads. Ideally an existing cluster can be used. For the purpose of this tutorial create the smallest GKE cluster possible in the `us-central1-a` zone:\n\n```\ngcloud container clusters create k0 \\\n  --cluster-version latest \\\n  --no-enable-basic-auth \\\n  --no-enable-ip-alias \\\n  --metadata disable-legacy-endpoints=true \\\n  --no-issue-client-certificate \\\n  --num-nodes 1 \\\n  --machine-type g1-small \\\n  --scopes gke-default \\\n  --zone us-central1-a\n```\n\nDownload the credentials for the `k0` cluster:\n\n```\ngcloud container clusters get-credentials k0 \\\n  --zone us-central1-a\n```\n\nWe only need the Kubernetes API server as we only plan to use Kubernetes as an secrets and config store, so delete the default node pool.\n\n```\ngcloud container node-pools delete default-pool \\\n  --cluster k0 \\\n  --zone us-central1-a\n```\n\nWith the `k0` GKE cluster in place it's time to create the secrets that will be referenced later in the tutorial.  \n\n```\ncat \u003e config.json \u003c\u003cEOF\n{\n  \"database\": {\n    \"username\": \"user\",\n    \"password\": \"123456789\"\n  }\n}\nEOF\n```\n\nCreate the `env` secret with two keys `foo` and `config.json` which holds the contents of the configuration file created in the previous step:\n\n```\nkubectl create secret generic env \\\n  --from-literal foo=bar \\\n  --from-file config.json\n```\n\nCreate the `env` configmap with a single key `environment`:\n\n```\nkubectl create configmap env \\\n  --from-literal environment=production\n```\n\nAt this point the `env` secret and configmap can be referenced from either Cloud Run or Cloud Functions using the `konfig` library.\n\n### Cloud Run Tutorial\n\nIn this section Cloud Run will be used to deploy the `gcr.io/hightowerlabs/env:0.0.1` container image which responds to HTTP requests with the contents of the `ENVIRONMENT`, `FOO` and `CONFIG_FILE` environment variables, which reference the `env` secret and configmap created in the previous section.\n\nA GKE cluster ID is required when referencing configmaps and secrets. Extract the cluster ID for the `k0` GKE cluster:\n\n```\nCLUSTER_ID=$(gcloud container clusters describe k0 \\\n  --zone us-central1-a \\\n  --format='value(selfLink)')\n```\n\nStrip the `https://container.googleapis.com/v1` from the previous response and store the results:\n\n```\nCLUSTER_ID=${CLUSTER_ID#\"https://container.googleapis.com/v1\"}\n```\n\n\u003e The CLUSTER_ID env var should hold the fully qualified path to the k0 cluster. Assuming `hightowerlabs` as the project ID the value would be `/projects/hightowerlabs/zones/us-central1-a/clusters/k0`.\n\nCreate the `env` Cloud Run service and set the `ENVIRONMENT`, `FOO` and `CONFIG_FILE` env vars to reference the `env` configmaps and secrets in the `k0` GKE cluster:\n\n```\ngcloud alpha run deploy env \\\n  --allow-unauthenticated \\\n  --concurrency 50 \\\n  --image gcr.io/hightowerlabs/env:0.0.1 \\\n  --memory 2G \\\n  --region us-central1 \\\n  --set-env-vars \"FOO=\\$SecretKeyRef:${CLUSTER_ID}/namespaces/default/secrets/env/keys/foo,CONFIG_FILE=\\$SecretKeyRef:${CLUSTER_ID}/namespaces/default/secrets/env/keys/config.json?tempFile=true,ENVIRONMENT=\\$ConfigMapKeyRef:${CLUSTER_ID}/namespaces/default/configmaps/env/keys/environment\"\n```\n\n\u003e The `CONFIG_FILE` env var reference uses the `tempFile` option to write the contents of the `config.json` secret key to a temp file. The `CONFIG_FILE` env var will hold the path to the temp file which can be read during normal program execution.\n\nRetrieve the `env` service HTTP endpoint:\n\n```\nENV_SERVICE_URL=$(gcloud alpha run services describe env \\\n  --namespace hightowerlabs \\\n  --region us-central1 \\\n  --format='value(status.url)')\n```\n\nMake an HTTP request to the `env` service:\n\n```\ncurl $ENV_SERVICE_URL\n```\n\nOutput:\n```\nCONFIG_FILE: /tmp/363780357\nENVIRONMENT: production\nFOO: bar\n\n# /tmp/363780357\n{\n  \"database\": {\n    \"username\": \"user\",\n    \"password\": \"123456789\"\n  }\n}\n```\n\n### Cloud Functions Tutorial\n\nkonfig pulls referenced secrets and configmaps from GKE clusters using the GCP service account assigned to a Cloud Function. Create the `konfig` service account with the following IAM roles:\n\n* roles/iam.serviceAccountTokenCreator\n* roles/cloudfunctions.viewer\n* roles/container.viewer\n\n```\nPROJECT_ID=$(gcloud config get-value core/project)\n```\n\n```\nSERVICE_ACCOUNT_NAME=\"konfig\"\n```\n\n```\ngcloud iam service-accounts create ${SERVICE_ACCOUNT_NAME} \\\n  --quiet \\\n  --display-name \"konfig service account\"\n```\n\n```\ngcloud projects add-iam-policy-binding ${PROJECT_ID} \\\n  --quiet \\\n  --member=\"serviceAccount:${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com\" \\\n  --role='roles/iam.serviceAccountTokenCreator'\n```\n\n```\ngcloud projects add-iam-policy-binding ${PROJECT_ID} \\\n  --quiet \\\n  --member=\"serviceAccount:${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com\" \\\n  --role='roles/cloudfunctions.viewer'\n```\n\n```\ngcloud projects add-iam-policy-binding ${PROJECT_ID} \\\n  --quiet \\\n  --member=\"serviceAccount:${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com\" \\\n  --role='roles/container.developer'\n```\n\nEnable the `konfig` GCP service account to access the `env` secret and configmap created in previous section:\n\n```\nSERVICE_ACCOUNT_EMAIL=\"konfig@${PROJECT_ID}.iam.gserviceaccount.com\"\n```\n\nCreate the `konfig` role in the `k0` GKE cluster:\n\n```\nkubectl create role konfig \\\n  --verb get \\\n  --resource secrets \\\n  --resource configmaps \\\n  --resource-name env\n```\n\nBind the `konfig` GCP service account and `konfig` role:\n\n```\nkubectl create rolebinding konfig \\\n  --role konfig \\\n  --user ${SERVICE_ACCOUNT_EMAIL}\n```\n\nAt this point the `konfig` GCP service account has access to the configmap and secret named `env` in the default namespace in the `k0` GKE cluster.\n\n\u003e The `konfig` Kubernetes role limits the `konfig` GCP service to the defined `env` secret and configmap in a single namespace. Access to additional secrets and configmaps will require additional permissions.\n\nDeploy the `env` function.\n\n```\ncd examples/cloudfunctions/env/\n```\n\n```\ngcloud alpha functions deploy env \\\n  --entry-point F \\\n  --max-instances 10 \\\n  --memory 128MB \\\n  --region us-central1 \\\n  --runtime go111 \\\n  --service-account $SERVICE_ACCOUNT_EMAIL \\\n  --set-env-vars \"FOO=\\$SecretKeyRef:${CLUSTER_ID}/namespaces/default/secrets/env/keys/foo,CONFIG_FILE=\\$SecretKeyRef:${CLUSTER_ID}/namespaces/default/secrets/env/keys/config.json?tempFile=true,ENVIRONMENT=\\$ConfigMapKeyRef:${CLUSTER_ID}/namespaces/default/configmaps/env/keys/environment\" \\\n  --timeout 30s \\\n  --trigger-http\n```\n\nEnable unauthenticated access to the `env` function HTTP endpoint:\n\n```\ngcloud alpha functions add-iam-policy-binding env \\\n  --member allUsers \\\n  --role roles/cloudfunctions.invoker\n```\n\nRetrieve the HTTPS trigger URL:\n\n```\nHTTPS_TRIGGER_URL=$(gcloud beta functions describe env \\\n  --format 'value(httpsTrigger.url)')\n```\n\nMake an HTTP request to the `env` function:\n\n```\ncurl $HTTPS_TRIGGER_URL\n```\n\n```\nCONFIG_FILE: /tmp/813067742\nENVIRONMENT: production\nFOO: bar\n\n# /tmp/813067742\n{\n  \"database\": {\n    \"username\": \"user\",\n    \"password\": \"123456789\"\n  }\n}\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdrillbits%2Fkonfig","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdrillbits%2Fkonfig","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdrillbits%2Fkonfig/lists"}