def __call__(self, parser: configargparse.ArgumentParser, namespace: configargparse.Namespace,
values: Union[str, Sequence[Any], None], option_string: str=None) -> None:
print("Vault Integration\n"
"=================\n"
"\n"
"When signing packages, GoPythonGo/Aptly must know the passphrase to use for GPG,\n"
"especially when GoPythonGo is invoked on a build server without user\n"
"interaction. A good way to manage secret information such as GPG passphrases for\n"
"automated jobs or SSL keys is Hashicorp's Vault (https://vaultproject.io/).\n"
"Using aptly_vault_wrapper as a replacement for the aptly executable allows you\n"
"to query Vault for the GPG passphrase to use when signing packages.\n"
"\n"
"Once you have a configured, initialized and unsealed Vault installation in your\n"
"network, you must set up a policy for aptly_vault_wrapper to use and define a\n"
"way for aptly_vault_wrapper to authenticate. Currently aptly_vault_wrapper\n"
"allows you to pass in a Vault auth token or use the app-id authentication\n"
"backend.\n"
"\n"
"Here is an example for how I use Vault to store the GnuPG package signature\n"
"passphrase for GoPythonGo packages:\n"
"\n"
"Let's set up a read policy, assuming that you have already authenticated to\n"
"Vault:\n"
"\n"
" vault policy-write r_pkg_sign -\n"
"path \"secret/gpg/package_sign_passphrase\" {\n"
" capabilities = [\"read\"]\n"
"}\n"
"\n"
"Then store the passphrase there:\n"
"\n"
" vault write secret/gpg/package_sign_passphrase value=-\n"
"[send passphrase from stdin so as to not save it in your shell history!]\n"
"\n"
"And finally set up app-id for aptly_vault_wrapper. Make sure you set cidr_block\n"
"to an appropriate value for your network:\n"
"\n"
" # Make sure you are authenticated with Vault, then run something like the\n"
" # following commands:\n"
" vault auth-enable app-id\n"
" APPID=$(python3 -c \"import uuid; print(str(uuid.uuid4()), end='')\")\n"
" vault write auth/app-id/map/app-id/$APPID value=r_pkg_sign \\\n"
" display_name=vaultwrapper\n"
" USERID=$(python3 -c \"import uuid; print(str(uuid.uuid4()), end='')\")\n"
" vault write auth/app-id/map/user-id/$USERID value=$APPID \\\n"
" cidr_block=192.168.56.0/24\n"
" echo 'App-id (put this in your .gopythongo settings):'\n"
" echo $APPID\n"
"\n"
" echo 'User-id (put this in the VAULT_USERID environment variable on your'\n"
" echo 'build server, or in your build job config):'\n"
" echo $USERID\n"
"\n"
"Security notice: THe documentation only states this implicitly, but you should\n"
"only use 'hard to guess' UUIDs here. On most systems Python uses os.urandom, so\n"
"this should be fine, but it doesn't hurt to check.\n")
parser.exit(0)
评论列表
文章目录
