So I decided to use runtime. exs in mix release
config/runtime.exs now looks like:
import Config
if config_env() == :prod do
{:ok, _} = Application.ensure_all_started(:jason)
{:ok, _} = Application.ensure_all_started(:hackney)
jwt =
System.get_env("JWT_TOKEN_PATH")
|> Kernel.||("/var/run/secrets/kubernetes.io/serviceaccount/token")
|> File.read!()
vault_host = System.fetch_env!("VAULT_ADDR")
vault_k8s_role = System.fetch_env!("VAULT_K8S_ROLE")
vault_prefix = System.fetch_env!("VAULT_PREFIX")
vault_env_path = System.get_env("VAULT_ENV_PATH") || "secrets"
{:ok, vault} =
Vault.new(
engine: Vault.Engine.KVV2,
auth: Vault.Auth.Kubernetes,
http: Vault.HTTP.Tesla,
host: vault_host
)
|> Vault.auth(%{role: vault_k8s_role, jwt: jwt})
{:ok, vault_secrets} = Vault.read(vault, "#{vault_prefix}/#{vault_env_path}")
################################################################################
## Release Config (with Vault secrets)
################################################################################
config :myapp, MS.Repo,
# ssl: true,
url: Map.fetch!(vault_secrets, "DATABASE_URL"),
pool_size: String.to_integer(vault_secrets["POOL_SIZE"]) || 10
...
end
and to include runtime.exs on release start runtime_config_path should be added to mix.exs:
releases: [
myapp_web: [
runtime_config_path: "config/runtime.exs",
version: "0.0.1",
applications: [
myapp_web: :permanent
...
So no additional config readers were used
