♻️ Rename to murmur

Several open-source projects related to secret management are already
called "whisper". In order to make finding this project through search
engines easier, we rename it to "murmur".

.github/workflows/ci.yml

@@ -33,8 +33,8 @@ jobs:
       # directory of this repository.
       - uses: google-github-actions/auth@v1
         with:
-          workload_identity_provider: "projects/841223787188/locations/global/workloadIdentityPools/default/providers/github-oidc"
-          service_account: "github-actions@whisper-tests.iam.gserviceaccount.com"
+          workload_identity_provider: "projects/221642914929/locations/global/workloadIdentityPools/default/providers/github-oidc"
+          service_account: "github-actions@murmur-tests.iam.gserviceaccount.com"
           token_format: "access_token"
           access_token_lifetime: "300s"
 

.goreleaser.yaml

@@ -9,7 +9,7 @@ builds:
       - windows
       - darwin
     main: ./
-    binary: whisper
+    binary: murmur
 archives:
   - replacements:
       darwin: Darwin
@@ -22,21 +22,21 @@ archives:
         format: zip
 dockers:
   - image_templates:
-      - ghcr.io/busser/whisper:{{ .Tag }}
-      - ghcr.io/busser/whisper:v{{ .Major }}.{{ .Minor }}
-      - ghcr.io/busser/whisper:v{{ .Major }}
-      - ghcr.io/busser/whisper:latest
+      - ghcr.io/busser/murmur:{{ .Tag }}
+      - ghcr.io/busser/murmur:v{{ .Major }}.{{ .Minor }}
+      - ghcr.io/busser/murmur:v{{ .Major }}
+      - ghcr.io/busser/murmur:latest
 checksum:
-  name_template: 'checksums.txt'
+  name_template: "checksums.txt"
 snapshot:
-  name_template: '{{ .Tag }}-next'
+  name_template: "{{ .Tag }}-next"
 changelog:
   sort: asc
   filters:
     exclude:
-      - '^chore:'
+      - "^chore:"
       - '^chore\(deps\):'
-      - '^docs:'
+      - "^docs:"
       - '^fix\(deps\):'
-      - '^refactor:'
-      - '^test:'
+      - "^refactor:"
+      - "^test:"

Dockerfile

@@ -1,8 +1,8 @@
 FROM scratch
 
-LABEL org.opencontainers.image.source=https://github.com/busser/whisper
+LABEL org.opencontainers.image.source=https://github.com/busser/murmur
 
 # The binary is built beforehand.
-COPY whisper /
+COPY murmur /
 
-ENTRYPOINT ["/whisper"]
+ENTRYPOINT ["/murmur"]

Makefile

@@ -2,7 +2,7 @@
 VERSION:=$(shell cat VERSION)
 
 # Image URL to use all building/pushing image targets
-IMG ?= ghcr.io/busser/whisper:$(VERSION)
+IMG ?= ghcr.io/busser/murmur:$(VERSION)
 
 # Setting SHELL to bash allows bash commands to be executed by recipes.
 # Options are set to exit when a recipe line exits non-zero or a piped command fails.
@@ -47,8 +47,8 @@ test-e2e: ## Run all tests, including end-to-end tests.
 ##@ Build
 
 .PHONY: build
-build: fmt vet ## Build whisper binary.
-	go build -o bin/whisper
+build: fmt vet ## Build murmur binary.
+	go build -o bin/murmur
 
 ##@ Release
 

README.md

@@ -1,15 +1,14 @@
-# 🤫 Whisper <!-- omit in toc -->
+# 🤫 Murmur <!-- omit in toc -->
 
 [![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
-[![Go Report Card](https://goreportcard.com/badge/github.com/busser/whisper)](https://goreportcard.com/report/github.com/busser/whisper)
-![tests-passing](https://github.com/busser/whisper/actions/workflows/ci.yml/badge.svg)
+[![Go Report Card](https://goreportcard.com/badge/github.com/busser/murmur)](https://goreportcard.com/report/github.com/busser/murmur)
+![tests-passing](https://github.com/busser/murmur/actions/workflows/ci.yml/badge.svg)
 
-Plug-and-play entrypoint to inject secrets directly into your application's
-environment variables.
+Plug-and-play entrypoint to pass secrets as environment variables to a process.
 
 - [How it works](#how-it-works)
-- [Using whisper locally](#using-whisper-locally)
-- [Including whisper in a Docker image](#including-whisper-in-a-docker-image)
+- [Using murmur locally](#using-murmur-locally)
+- [Including murmur in a Docker image](#including-murmur-in-a-docker-image)
 - [Secret providers](#secret-providers)
   - [Scaleway Secret Manager](#scaleway-secret-manager)
   - [Azure Key Vault](#azure-key-vault)
@@ -24,7 +23,7 @@ environment variables.
 
 ## How it works
 
-Whisper must run as your application's entrypoint. This means that instead of
+Murmur must run as your application's entrypoint. This means that instead of
 running this command to start your application:
 
 ```bash
@@ -34,30 +33,30 @@ running this command to start your application:
 Run this instead:
 
 ```bash
-whisper exec -- /bin/run-my-app
+murmur run -- /bin/run-my-app
 ```
 
-Whisper reads its environment variables, replaces references to secrets with
+Murmur reads its environment variables, replaces references to secrets with
 the secrets' values, and passes the resulting variables to your application.
 Variables that are not references to secrets are passed as is. See
 [Secret providers](#secret-providers) below for more details.
 
 Environment variable values can also contain filters that transform the secret's
 value. See [Filters](#filters) below for more details.
 
-## Using whisper locally
+## Using murmur locally
 
-Download the `whisper` binary for your OS and architecture on the
-[project's releases page](https://github.com/busser/whisper/releases) and put
+Download the `murmur` binary for your OS and architecture on the
+[project's releases page](https://github.com/busser/murmur/releases) and put
 the binary in your PATH.
 
-## Including whisper in a Docker image
+## Including murmur in a Docker image
 
-For convenience, the whisper binary is also released as a Docker image. In your
+For convenience, the murmur binary is also released as a Docker image. In your
 application's Dockerfile, simply add the following line:
 
 ```dockerfile
-COPY --from=ghcr.io/busser/whisper:latest /whisper /bin/whisper
+COPY --from=ghcr.io/busser/murmur:latest /murmur /bin/murmur
 ```
 
 And then change your image's entrypoint:
@@ -66,18 +65,18 @@ And then change your image's entrypoint:
 # from this:
 ENTRYPOINT ["/bin/run-my-app"]
 # to this:
-ENTRYPOINT ["/bin/whisper", "exec", "--", "/bin/run-my-app"]
+ENTRYPOINT ["/bin/murmur", "run", "--", "/bin/run-my-app"]
 ```
 
 See [examples/dockerfile](./examples/dockerfile) for actual code.
 
 ## Secret providers
 
-Whisper supports fetching secrets from the following providers.
+Murmur supports fetching secrets from the following providers.
 
 ### Scaleway Secret Manager
 
-Whisper will fetch secrets from Scaleway Secret Manager for all environment
+Murmur will fetch secrets from Scaleway Secret Manager for all environment
 variables that start with `scwsm:`. What follows the prefix should reference a
 secret.
 
@@ -96,14 +95,14 @@ Here are some examples:
   `fr-par` region named `secret-sauce`.
 
 The string that comes before `#` could be a name or an ID. If the string is a
-UUID, then whisper assumes it is an ID. Otherwise, it assumes it is a name.
+UUID, then murmur assumes it is an ID. Otherwise, it assumes it is a name.
 
-Whisper uses the environment's default credentials to authenticate to Scaleway.
-You can configure whisper the same way you can [configure the `scw` CLI](https://github.com/scaleway/scaleway-cli/blob/master/docs/commands/config.md).
+Murmur uses the environment's default credentials to authenticate to Scaleway.
+You can configure murmur the same way you can [configure the `scw` CLI](https://github.com/scaleway/scaleway-cli/blob/master/docs/commands/config.md).
 
 ### Azure Key Vault
 
-Whisper will fetch secrets from Azure Key Vault for all environment variables
+Murmur will fetch secrets from Azure Key Vault for all environment variables
 that start with `azkv:`. What follows the prefix should reference a secret.
 
 Here are some examples:
@@ -114,13 +113,13 @@ Here are some examples:
   references a specific version of the `secret-sauce` secret in the `example`
   Key Vault.
 
-Whisper uses the environment's default credentials to authenticate to Azure. You
+Murmur uses the environment's default credentials to authenticate to Azure. You
 can set these credentials with the [environment variables listed here](https://github.com/Azure/azure-sdk-for-go/wiki/Set-up-Your-Environment-for-Authentication#configure-defaultazurecredential),
 or with workload identity.
 
 ### AWS Secrets Manager
 
-Whisper will fetch secrets from AWS Secrets Manager for all environment
+Murmur will fetch secrets from AWS Secrets Manager for all environment
 variables that start with `awssm:`. What follows the prefix should reference a
 secret.
 
@@ -139,14 +138,14 @@ Here are some examples:
   references a specific staging label of the secret with the specified ARN.
 
 The string that comes after `#` could be a version ID or a version label. If the
-string is a UUID, then whisper assumes it is a version ID. Otherwise, it assumes
+string is a UUID, then murmur assumes it is a version ID. Otherwise, it assumes
 it is a version label.
 
-Whisper uses the environment's default credentials to authenticate to AWS.
+Murmur uses the environment's default credentials to authenticate to AWS.
 
 ### Google Secret Manager
 
-Whisper will fetch secrets from Google Cloud Platform's Secret Manager for all
+Murmur will fetch secrets from Google Cloud Platform's Secret Manager for all
 environment variables that start with `gcpsm:`. What follows the prefix should
 reference a secret.
 
@@ -157,11 +156,11 @@ Here are some examples:
 - `gcpsm:example/secret-sauce#123` references a specific version of the
 - `secret-sauce` secret in the `example` project.
 
-Whisper uses the environment's default credentials to authenticate to Google
+Murmur uses the environment's default credentials to authenticate to Google
 Cloud. You can set these with the `gcloud` CLI, with environment variables,
 with Google Cloud's environment service accounts, or with workload identity.
 
-An alternative to whisper, specific to Google Cloud, is [berglas](https://github.com/GoogleCloudPlatform/berglas).
+An alternative to murmur, specific to Google Cloud, is [berglas](https://github.com/GoogleCloudPlatform/berglas).
 
 ### Hashicorp Vault
 
@@ -173,16 +172,16 @@ in the mean time.
 ### Passthrough
 
 The `passthrough:` prefix is special: it does not fetch secrets from anywhere.
-Whisper uses the secret's reference as its value. In effect, this simply removes
+Murmur uses the secret's reference as its value. In effect, this simply removes
 the `passthrough:` prefix from any environment variables.
 
 ## Filters
 
-Whisper supports transforming secrets with the following filters.
+Murmur supports transforming secrets with the following filters.
 
 ### JSONPath
 
-Whisper embeds the [Kubernetes JSONPath](https://kubernetes.io/docs/reference/kubectl/jsonpath/)
+Murmur embeds the [Kubernetes JSONPath](https://kubernetes.io/docs/reference/kubectl/jsonpath/)
 library. You can use it to extract specific fields from a JSON-encoded secret.
 For example, if you have a secret with a value of `{"sauce": "szechuan"}`, the
 `jsonpath` filter can extract the `sauce` field's value:
@@ -198,20 +197,20 @@ awssm:secret-sauce|jsonpath:{.sauce}
 Your application may use flags, like this:
 
 ```bash
-whisper exec /bin/run-my-app --port=3000
+murmur run /bin/run-my-app --port=3000
 ```
 
-Whisper then picks up the `--port` flag and returns an error:
+Murmur then picks up the `--port` flag and returns an error:
 
 ```plaintext
 Error: unknown flag: --port
 ```
 
-Whisper ignores any flags that come after a special `--` argument. So simply run
+Murmur ignores any flags that come after a special `--` argument. So simply run
 this command instead:
 
 ```bash
-whisper exec -- /bin/run-my-app --port=3000
+murmur run -- /bin/run-my-app --port=3000
 ```
 
 Any flags after the `--` argument will still be passed to your application.

examples/dockerfile/Dockerfile

@@ -1,5 +1,5 @@
 FROM alpine
 
-COPY --from=ghcr.io/busser/whisper:latest /whisper /bin/whisper
+COPY --from=ghcr.io/busser/murmur:latest /murmur /bin/murmur
 
-ENTRYPOINT ["/bin/whisper", "exec", "--", "sh", "-c", "echo The secret sauce is $SECRET_SAUCE."]
+ENTRYPOINT ["/bin/murmur", "run", "--", "sh", "-c", "echo The secret sauce is $SECRET_SAUCE."]

examples/dockerfile/README.md

@@ -1,12 +1,12 @@
 # Example: Dockerfile
 
-This directory contains an example of using whisper inside a Dockerfile.
+This directory contains an example of using murmur inside a Dockerfile.
 
 To run the example:
 
 ```bash
-docker build -t whisper-example .
+docker build -t murmur-example .
 docker run \
     -e SECRET_SAUCE=passthrough:szechuan \
-    whisper-example
+    murmur-example
 ```

go.mod

@@ -1,4 +1,4 @@
-module github.com/busser/whisper
+module github.com/busser/murmur
 
 go 1.20
 

internal/cmd/murmur.go

@@ -0,0 +1,27 @@
+package cmd
+
+import (
+	"os"
+
+	"github.com/spf13/cobra"
+)
+
+func Execute() {
+	if err := rootCmd().Execute(); err != nil {
+		os.Exit(1)
+	}
+}
+
+func rootCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "murmur",
+		Short: "Murmur passes secrets as environment variables to a process",
+		Long: `A plug-and-play shim that fetches secrets from a secure
+	location and passes them to your application as environment variables.`,
+		SilenceUsage: true,
+	}
+
+	cmd.AddCommand(runCmd())
+
+	return cmd
+}

internal/cmd/murmur_run.go

@@ -0,0 +1,36 @@
+package cmd
+
+import (
+	"os"
+
+	"github.com/busser/murmur/internal/murmur"
+	"github.com/spf13/cobra"
+)
+
+func runCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "run",
+		Short: "Run a command with secrets injected",
+		Long: `Run any command with updated environment variables. Any variables containing
+a reference to an externally-stored secret will be overwritten with the secret's
+value.
+
+Examples:
+
+  # Azure Key Vault
+  export SECRET_SAUCE="azkv:example.vault.azure.net/secret-sauce"
+  murmur run -- sh -c 'echo The secret sauce is $SECRET_SAUCE.'`,
+
+		Args: cobra.MinimumNArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			exitCode, err := murmur.Run(args[0], args[1:]...)
+			if err != nil {
+				return err
+			}
+			os.Exit(exitCode)
+			return nil
+		},
+	}
+
+	return cmd
+}