Skip to main content
The External Secrets Enterprise Edition is product suite is a premium product. It requires a specific subscription. Contact us for more information.
This section provides practical examples of how to invoke esi-cli for common use cases. For examples involving ESI Federation, please see the ESI CLI with Federation page.

Example 1: init Mode - Environment Variables and File Injection

Scenario: Before starting an application, inject secrets from the my-app-es ExternalSecret as general environment variables. Additionally, inject specific keys (username and password from backend-secret) as API_USER and API_PASS environment variables, and write a specific configuration key (app-config-es.config) to a file. After setup, execute the /app/server binary with specified arguments. Command: 
esi-cli --mode=init \
  --namespace=my-ns \
  --external-secrets=my-app-es \
  --inject-on-env=API_USER=backend-secret.username,API_PASS=backend-secret.password \
  --inject-on-file=/etc/app/config.json=app-config-es.config \
  --binary-path=/app/server \
  --args="--port=8080,--debug"
Explanation:
  1. --mode=init: Specifies init mode.
  2. --namespace=my-ns: esi-cli looks for ExternalSecret resources in the my-ns namespace.
  3. --external-secrets=my-app-es: All data from the Kubernetes Secret managed by my-app-es will be available as environment variables (e.g., if my-app-es has a key db-host, DB_HOST will be set).
  4. --inject-on-env=API_USER=backend-secret.username,API_PASS=backend-secret.password:
    • The value of the username key from the backend-secret ExternalSecret’s data will be set as the API_USER environment variable.
    • The value of the password key from backend-secret will be set as API_PASS.
    • These specific mappings will override any similarly named variables that might have been set by --external-secrets.
  5. --inject-on-file=/etc/app/config.json=app-config-es.config: The value of the config key from the app-config-es ExternalSecret’s data will be written to the file /etc/app/config.json. Parent directories will be created if they don’t exist.
  6. --binary-path=/app/server: After injections, esi-cli will execute /app/server.
  7. --args="--port=8080,--debug": These arguments will be passed to /app/server.

Example 2: daemon Mode - File Injection with Refresh

Scenario: Run esi-cli as a sidecar to provide secrets as files. Fetch a specific key (confKey) from worker-config-es and write its content to /data/worker.conf. Also, fetch the entire shared-certs-es secret and write it as a YAML file to /etc/certs/all.yaml. esi-cli will watch for changes to these ExternalSecrets (if not in federation mode) and refresh the files, with a fallback refresh interval of 5 minutes. Command: 
esi-cli --mode=daemon \
  --namespace=processing \
  --inject-on-file=/data/worker.conf=worker-config-es.confKey,/etc/certs/all.yaml=shared-certs-es \
  --daemon-refresh-interval=5m
Explanation:
  1. --mode=daemon: Specifies daemon mode. esi-cli will run as a long-lived process.
  2. --namespace=processing: esi-cli looks for ExternalSecret resources in the processing namespace.
  3. --inject-on-file=/data/worker.conf=worker-config-es.confKey,/etc/certs/all.yaml=shared-certs-es:
    • The value of confKey from worker-config-es is written to /data/worker.conf.
    • All data from shared-certs-es is written as a YAML file to /etc/certs/all.yaml.
    • esi-cli will monitor the source ExternalSecrets for changes and update these files. Parent directories will be created if they don’t exist.
  4. --daemon-refresh-interval=5m: Sets the periodic refresh/resync interval to 5 minutes.
Applications reading files managed by esi-cli in daemon mode should be designed to detect file changes and reload their configuration if they need to use updated secret values.
These examples illustrate common patterns for using esi-cli. You can combine flags as needed to suit your specific secret injection requirements. Always refer to the Command-Line Flags documentation for a complete list of options.