I thought this was a neat trick I found using command-chain and environment for snaps to have default, but over-written environment variables. If you define an environment variable such as
VAULT_ADDR in my case to something, then that value is set by snapd before launching the command or any of the command-chains. This means you could modify the value of that environment variable before the final command is launched by creating a command-chain script which changes that value. For example take the following snapcraft.yaml snippet for vault:
apps: vault: adapter: full command: bin/vault server --config $VAULT_CONFIG daemon: simple environment: VAULT_ADDR: "https://localhost:8200" VAULT_CONFIG: "$SNAP_DATA/config/security-secret-store/vault-config.hcl"
This works to set the environment variable, but what if we want a different port number or host-name for vault to listen on? Well we can write a simple command-chain script like this which checks for a config setting with
snapctl and then if set, uses that instead. See:
#!/bin/bash -e VAULT_ADDR_SNAP_CONFIG="$(snapctl get vault-addr)" if [ -n "$VAULT_ADDR_SNAP_CONFIG" ]; then VAULT_ADDR="$VAULT_ADDR_SNAP_CONFIG" fi export VAULT_ADDR exec "$@"
Then we specify the command-chain for this little script in the snapcraft.yaml (of course after having a part somewhere that stages the script into the snap at
apps: vault: adapter: full command: bin/vault server --config $VAULT_CONFIG command-chain: - bin/vault-addr-config.sh daemon: simple environment: VAULT_ADDR: "https://localhost:8200" VAULT_CONFIG: "$SNAP_DATA/config/security-secret-store/vault-config.hcl"
and now you can configure the vault address with snapctl:
$ snap set $SNAP_NAME vault-addr="https://localhost:8300"
This same trick would work for user run apps as well, and in that case you could even expand the script slightly to inspect the user’s environment for
VAULT_ADDR and instead define
DEFAULT_VAULT_ADDR in the
environment in snapcraft.yaml and have the command-chain script set
VAULT_ADDR isn’t already defined, allowing a user to set that themselves if they want to set it manually like:
$ VAULT_ADDR="https://localhost:8700" vault server --config ...