A secure environment variable and secrets distribution system for development teams.
envtool provides a complete secrets management platform that combines Kubernetes-native storage with modern authentication patterns. It eliminates the common problem of insecure secrets sharing (Slack messages, email, sticky notes) by providing a centralized, auditable system for distributing environment variables and secrets to development teams.
Development teams need a secure, convenient way to share environment variables and secrets across local development environments. envtool solves this by:
- Security First: Leverages Keycloak for authentication, OPA for authorization, and Kubernetes Secrets for encrypted storage
- Developer Friendly: CLI tool with direnv-style shell integration automatically loads environment variables when you cd into a project
- Multi-Repository: Supports fine-grained access control across multiple repositories and environments
- Platform Integration: Built on Kubernetes and Istio service mesh for enterprise-grade security and observability
git clone https://github.com/holos-run/envtool.git
cd envtool
make installThe binary will be installed to $GOPATH/bin/envtool.
make buildThe binary will be available at bin/envtool.
# Run the tool
envtool
# Output: Hello, World!
# Check version
envtool version
# Check detailed version info
envtool version --verboseFor the complete system architecture and implementation plan, see plans/01-envtool-design.md.
The system consists of five core components:
- ConnectRPC Server - Go-based API server managing secrets via Kubernetes CRDs
- Kubernetes Controller - Reconciles configuration and secrets
- Keycloak - Identity management with multi-repository access control
- OPA - Fine-grained authorization via Istio integration
- CLI Tool - Cross-platform CLI with direnv-style shell integration
# Run tests
make test
# Format code
make fmt
# Build
make build
# Clean build artifacts
make clean
# Tidy dependencies
make tidyApache 2.0