streambed_confidant/
args.rs

1//! Provides command line arguments that are typically used for all services using this module.
2
3use std::path::PathBuf;
4
5use clap::Parser;
6
7#[derive(Parser, Debug)]
8pub struct SsArgs {
9    /// The max number of Secret Store secrets to retain by our cache at any time.
10    /// Least Recently Used (LRU) secrets will be evicted from our cache once this value
11    /// is exceeded.
12    #[clap(env, long, default_value_t = 10_000)]
13    pub ss_max_secrets: usize,
14
15    /// A namespace to use when communicating with the Vault Secret Store
16    #[clap(env, long, default_value = "default")]
17    pub ss_ns: String,
18
19    /// The Secret Store role_id to use for approle authentication.
20    #[clap(env, long)]
21    pub ss_role_id: String,
22
23    /// The location of all secrets belonging to confidant. The recommendation is to
24    /// create a user for confidant and a requirement is to remove group and world permissions.
25    /// Then, use ACLs to express further access conditions.
26    #[clap(env, long, default_value = "/var/lib/confidant")]
27    pub ss_root_path: PathBuf,
28
29    /// A data field to used in place of Vault's lease_duration field. Time
30    /// will be interpreted as a humantime string e.g. "1m", "1s" etc. Note
31    /// that v2 of the Vault server does not appear to populate the lease_duration
32    /// field for the KV secret store any longer. Instead, we can use a "ttl" field
33    /// from the data.
34    #[clap(env, long)]
35    pub ss_ttl_field: Option<String>,
36
37    /// How long we wait until re-requesting the Vault Secret Store server for an
38    /// unauthorized secret again.
39    #[clap(env, long, default_value = "1m")]
40    pub ss_unauthorized_timeout: humantime::Duration,
41}