1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
//! CLI entry point and subcommand dispatch.
//!
//! This module defines the top-level `locket` command-line interface.
//! It dispatches execution to specific handlers:
//!
//! * **Inject**: Sidecar mode (`locket inject`).
//! * **Exec**: Process injection wrapper (`locket exec`).
//! * **Healthcheck**: Health probe for sidecar
//! * **Compose**: Docker Compose provider integration.
//! * **Volume**: Docker Volume driver integration.
use clap::{Parser, Subcommand};
#[cfg(feature = "compose")]
mod compose;
mod config;
#[cfg(feature = "exec")]
mod exec;
mod healthcheck;
mod inject;
#[cfg(feature = "volume")]
#[cfg(target_os = "linux")]
mod volume;
use crate::config::LayeredArgs;
#[cfg(feature = "compose")]
pub use compose::compose;
#[cfg(feature = "compose")]
pub use config::compose::ComposeArgs;
#[cfg(feature = "exec")]
pub use config::exec::{ExecArgs, ExecConfig};
#[cfg(feature = "volume")]
#[cfg(target_os = "linux")]
pub use config::volume::{PluginArgs, PluginConfig};
pub use config::{
healthcheck::HealthArgs,
inject::{InjectArgs, InjectConfig},
};
#[cfg(feature = "exec")]
pub use exec::exec;
pub use healthcheck::healthcheck;
pub use inject::inject;
#[cfg(feature = "volume")]
#[cfg(target_os = "linux")]
pub use volume::volume;
#[derive(Parser, Debug)]
#[command(name = "locket")]
#[command(version, about = "Materialize secrets from environment or templates", long_about = None)]
pub struct Cli {
#[command(subcommand)]
pub cmd: Command,
}
#[derive(Subcommand, Debug)]
pub enum Command {
/// Inject secrets from secret references into files and directories.
///
/// Example:
///
/// ```sh
/// locket inject --provider bws --bws-token=file:/path/to/token \ # Select the BWS provider
/// --out /run/secrets/locket \ # Default output directory
/// --secret=/path/to/secrets.yaml \ # An anonymous secret file, placed in `/run/secrets/locket/secrets.yaml`
/// --secret=auth_key=@key.pem \ # A named secret file, placed in `/run/secrets/locket/auth_key`
/// --map ./tpl:/run/secrets/locket/mapped \ # Maps all templates in `./tpl/` directory to secrets in `/run/secrets/locket/mapped`
/// ```
#[clap(verbatim_doc_comment)]
Inject(LayeredArgs<InjectArgs>),
/// Execute a command with secrets injected into the process environment.
/// and optionally materialize secrets from template files.
///
/// Example:
///
/// ```sh
/// locket exec --provider bws --bws-token=file:/path/to/token \
/// -e locket.env -e OVERRIDE={{ reference }}
/// --map ./tpl/config:/app/config \
/// -- docker compose up -d
/// ```
#[cfg(feature = "exec")]
#[clap(verbatim_doc_comment)]
Exec(LayeredArgs<ExecArgs>),
/// Checks the health of the sidecar agent, determined by the state of materialized secrets.
///
/// Exits with code 0 if all known secrets are materialized, otherwise exits with non-zero exit code.
#[clap(verbatim_doc_comment)]
Healthcheck(HealthArgs),
/// Run as a Docker Volume Plugin
#[cfg(feature = "volume")]
#[cfg(target_os = "linux")]
Volume(LayeredArgs<PluginArgs>),
/// Docker Compose provider API
#[cfg(feature = "compose")]
Compose(Box<ComposeArgs>),
/// Docker CLI plugin metadata command
#[cfg(feature = "compose")]
#[command(name = "docker-cli-plugin-metadata", hide = true)]
DockerCliPluginMetadata,
}