locket 0.17.3

Helper tool for secret injection as a process dependency
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139

use crate::logging::{Logger, LoggerArgs};
use crate::process::{ProcessTimeout, ShellCommand};
use crate::provider::{Provider, ProviderArgs};
use crate::secrets::{Secret, SecretManagerArgs, SecretManagerConfig};
use crate::watch::DebounceDuration;
use clap::Args;
use locket_derive::LayeredConfig;
use serde::{Deserialize, Serialize};

#[derive(Debug, Clone)]
pub struct ExecConfig {
    pub cmd: ShellCommand,
    pub watch: bool,
    pub interactive: Option<bool>,
    pub env_files: Vec<Secret>,
    pub env_overrides: Vec<Secret>,
    pub manager: SecretManagerConfig,
    pub provider: Provider,
    pub timeout: ProcessTimeout,
    pub debounce: DebounceDuration,
    pub logger: Logger,
}

#[derive(Args, Debug, Clone, Default, Serialize, Deserialize, LayeredConfig)]
#[serde(rename_all = "kebab-case")]
#[locket(try_into = "ExecConfig", section = "exec")]
pub struct ExecArgs {
    /// Watch mode will monitor for changes to .env files and restart the command if changes are detected.
    #[arg(
        long,
        env = "LOCKET_EXEC_WATCH",
        num_args = 0..=1,
        default_missing_value = "true",
        require_equals = false
    )]
    #[locket(default = false)]
    pub watch: Option<bool>,

    /// Run the command in interactive mode, attaching stdin/stdout/stderr.
    ///
    /// If not specified, defaults to true in non-watch mode and false in watch mode.
    #[arg(
        long,
        env = "LOCKET_EXEC_INTERACTIVE",
        num_args = 0..=1,
        default_missing_value = "true",
        require_equals = false,
    )]
    #[locket(optional)]
    pub interactive: Option<bool>,

    /// Files containing environment variables which may contain secret references
    #[arg(
        long = "env-files",
        env = "LOCKET_ENV_FILE",
        value_name = "/path/to/.env",
        alias = "env-file",
        value_delimiter = ',',
        hide_env_values = true,
        help_heading = None,
        value_parser = crate::path::parse_secret_path,
        action = clap::ArgAction::Append,
    )]
    #[serde(alias = "env-file", default)]
    pub env_files: Vec<Secret>,

    /// Environment variable overrides which may contain secret references
    #[arg(
        long = "env-overrides",
        alias = "env",
        short = 'e',
        env = "LOCKET_ENV",
        value_name = "KEY=VAL, KEY=@FILE or /path/to/.env",
        value_delimiter = ',',
        hide_env_values = true,
        alias = "env",
        help_heading = None,
        action = clap::ArgAction::Append,
    )]
    #[serde(
        alias = "env",
        default,
        deserialize_with = "crate::config::parsers::polymorphic_vec"
    )]
    #[locket(docs = "
        TOML syntax supports list of strings or map form:
        List form:
        env = [\"db_password={{..}}\", \"api_key={{..}}\"]

        Map form:
        [env]
        db_password = \"{{..}}\"
        api_key = \"{{..}}\"
    ")]
    pub env_overrides: Vec<Secret>,

    #[command(flatten)]
    #[serde(flatten)]
    pub manager: SecretManagerArgs,

    /// Timeout duration for process termination signals.
    ///
    /// Unitless numbers are interpreted as seconds.
    #[arg(long, env = "LOCKET_EXEC_TIMEOUT")]
    #[locket(default = ProcessTimeout::default())]
    pub timeout: Option<ProcessTimeout>,

    /// Debounce duration for filesystem events in watch mode.
    ///
    /// Events occurring within this duration will be coalesced into a single update
    /// so as to not overwhelm the secrets manager with rapid successive updates from
    /// filesystem noise.
    ///
    /// Handles human-readable strings like "100ms", "2s", etc.
    /// Unitless numbers are interpreted as milliseconds.
    #[arg(long, env = "WATCH_DEBOUNCE")]
    #[locket(default = DebounceDuration::default())]
    pub debounce: Option<DebounceDuration>,

    /// Logging configuration
    #[command(flatten)]
    #[serde(flatten)]
    pub logger: LoggerArgs,

    /// Secrets provider selection
    #[command(flatten, next_help_heading = "Provider Configuration")]
    #[serde(flatten)]
    pub provider: ProviderArgs,

    /// Command to execute with secrets injected into environment
    ///
    /// Must be the last argument(s), following a `--` separator.
    ///
    /// Example: `locket exec -e locket.env -- docker compose up -d`
    #[arg(trailing_var_arg = true, help_heading = None)]
    #[serde(default)]
    #[locket(overlay = "crate::config::parsers::vec_replace")]
    pub cmd: Vec<String>,
}