def get_parser() -> configargparse.ArgumentParser:
parser = configargparse.ArgumentParser(
description="Use this program as a replacement for the any binary that needs to read a passphrase from STDIN, "
"be it GnuPG or SSL. This was initially built for GoPythonGo/Aptly. It allows you to load a key "
"passphrase from Hashicorp Vault (https://vaultproject.io/), thereby increasing security on your "
"servers. To configure GoPythonGo specifically to use vault_wrapper, simply set "
"'--aptly-use-vault-wrapper' on your GoPythonGo command-line. All parameters not recognized by "
"vault_wrapper are passed directly to the wrapped program, so all other command-line options "
"work as expected. If you use '--mode=aptly' vault_wrapper will always append "
"'-passphrase-file /dev/stdin' to the final aptly command-line and send the passphrase twice "
"(for both signing operations).",
prog="gopythongo.vaultwrapper",
args_for_setting_config_path=args_for_setting_config_path,
config_arg_help_message="Use this path instead of the default (.gopythongo/vaultwrapper)",
default_config_files=default_config_files
)
parser.add_argument("--wrap-program", dest="wrap_program", default=None, env_var="VAULTWRAPPER_PROGRAM",
help="Path to the executable to wrap and provide a passphrase to.")
parser.add_argument("--address", dest="vault_address", default="https://vault.local:8200",
env_var="VAULT_URL", help="Vault URL")
parser.add_argument("--wrap-mode", dest="wrap_mode", choices=["aptly", "stdin"], default="stdin",
help="Select a mode of operation. 'aptly' will append '-passphrase-file /dev/stdin' to the "
"wrapped program's parameters and output the passphrase twice, because aptly requires "
"that for package signing.")
parser.add_argument("--read-path", dest="read_path", default=None, required=True,
env_var="VAULTWRAPPER_READ_PATH",
help="The path to read from Vault. By default, vaultwrapper will look for a key 'passphrase' "
"under this path (see --field).")
parser.add_argument("--field", dest="read_field", default="passphrase", env_var="VAULTWRAPPER_FIELD",
help="The key to read from the specified path. (Default: 'passphrase')")
parser.add_argument("--help-policies", action=HelpAction,
help="Show additional information about how to set up Vault for using vaultwrapper.")
parser.add_argument("--debug-config", action=DebugConfigAction)
parser.add_argument("--gpg-homedir", dest="gpg_homedir", default=None,
help="Set $GNUPGHOME before executing the wrapped program, which helps to run aptly with "
"gpg2.")
gp_https = parser.add_argument_group("HTTPS options")
gp_https.add_argument("--pin-cacert", dest="pin_cacert", default="/etc/ssl/certs/ca-certificates.crt",
env_var="VAULT_CACERT",
help="Set the CA certificate for Vault (i.e. the server certificate MUST be signed by a CA "
"in this file). The file should contain a list of CA certificates. The default is the "
"location of the Debian Linux CA bundle (Default: '/etc/ssl/certs/ca-certificates.crt')")
gp_https.add_argument("--tls-skip-verify", dest="verify", default=True, action="store_false",
help="Skip SSL verification (only use this during debugging or development!)")
gp_auth = parser.add_argument_group("Vault authentication options")
gp_auth.add_argument("--token", dest="vault_token", env_var="VAULT_TOKEN", default=None,
help="A Vault access token with a valid lease. This is one way of authenticating the wrapper "
"to Vault. This is mutually exclusive with --app-id/--user-id.")
gp_auth.add_argument("--app-id", dest="vault_appid", env_var="VAULT_APPID", default=None,
help="Set the app-id for Vault app-id authentication.")
gp_auth.add_argument("--user-id", dest="vault_userid", env_var="VAULT_USERID", default=None,
help="Set the user-id for Vault app-id authentication.")
gp_auth.add_argument("--client-cert", dest="client_cert", default=None, env_var="VAULT_CLIENTCERT",
help="Use a HTTPS client certificate to connect.")
gp_auth.add_argument("--client-key", dest="client_key", default=None, env_var="VAULT_CLIENTKEY",
help="Set the HTTPS client certificate private key.")
return parser
评论列表
文章目录
