janware/jw-pkg
1
mirror of ssh://git.janware.com/janware/proj/jw-pkg synced 2026-04-28 23:04:33 +02:00
Code Activity Actions

cmds.CmdSecrets: Add command class + subcommands

Browse source 
jw-pkg.py secrets [sub-command] [packages] is a set of utility
commands designed to manage configuration files containing secrets.

To keep secrets from leaking via version control or packages, a
_template_ should be packaged for every sensitive configuration file.
Then, during post-install, configuration files can be generated from
packaged templates via

  jw-pkg.py secrets compile-templates <package> <package> ...

During post-uninstall

  jw-pkg.py secrets rm-compilation-output <package> <package> ...

removes them.

Not specifying any packages will compile or remove all templates on
the system.

To identify which files to consider and generate or remove, the
compilation scans <package> for files ending in .jw-tmpl. For each
match, e.g.

  /path/to/some.conf.jw-tmpl

it will read key-value pairs from

  /path/to/some.conf.jw-secret

and generate

  /path/to/some.conf

from it, replacing all keys by their respective values. The file
attributes of the generated file can be determined by the first line:
of some.conf.jw-tmpl or some.conf.jw-secret:

  # conf: owner=mysql; group=mysql; mode=0640

There are other commands for managing all secrets on the system at
once, see jw-pkg.py secrets --help:

    compile-templates   Compile package template files
    list-compilation-output
                        List package compilation output files
    list-secrets        List package secret files
    list-templates      List package template files
    rm-compilation-output
                        Remove package compilation output files

Signed-off-by: Jan Lindemann <jan@janware.com>
This commit is contained in:
Jan Lindemann 2026-03-05 11:01:18 +01:00
commit 18de6f2cf2
9 changed files with 352 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

18
src/python/jw/pkg/cmds/secrets/CmdCompileTemplates.py Normal file
View file

@ -0,0 +1,18 @@
# -*- coding: utf-8 -*-
from __future__ import annotations
from typing import TYPE_CHECKING
from .Cmd import Cmd
if TYPE_CHECKING:
from ..CmdSecrets import CmdSecrets
from argparse import Namespace, ArgumentParser
class CmdCompileTemplates(Cmd): # export
def __init__(self, parent: CmdSecrets) -> None:
super().__init__(parent, 'compile-templates', help="Compile package template files")
async def _run(self, args: Namespace) -> None:
await self._compile_template_files(args.packages)