streambed_vault/
args.rs

1//! Provides command line arguments that are typically used for all services using this module.
2
3use std::path::PathBuf;
4
5use clap::Parser;
6use reqwest::Url;
7
8#[derive(Parser, Debug)]
9pub struct SsArgs {
10    /// The maximum time we allow for a lease to expire. This is important to curb
11    /// situations where the secret store is not honoring a previously advised
12    /// lease duration for some reason. While this should never happen, given the
13    /// nature of the secret store being in a separate process, it technically
14    /// can happen (and has!).
15    #[clap(env, long, default_value = "30m")]
16    pub ss_max_lease_duration: humantime::Duration,
17
18    /// The max number of Vault Secret Store secrets to retain by our cache at any time.
19    /// Least Recently Used (LRU) secrets will be evicted from our cache once this value
20    /// is exceeded.
21    #[clap(env, long, default_value_t = 10_000)]
22    pub ss_max_secrets: usize,
23
24    /// A namespace to use when communicating with the Vault Secret Store
25    #[clap(env, long, default_value = "default")]
26    pub ss_ns: String,
27
28    /// The Vault Secret Store role_id to use for approle authentication.
29    #[clap(env, long)]
30    pub ss_role_id: String,
31
32    /// A URL of the Vault Secret Store server to communicate with
33    #[clap(env, long, default_value = "http://localhost:9876")]
34    pub ss_server: Url,
35
36    /// A path to a TLS cert pem file to be used for connecting with the Vault Secret Store server.
37    #[clap(env, long)]
38    pub ss_server_cert_path: Option<PathBuf>,
39
40    /// Insecurely trust the Secret Store's TLS certificate
41    #[clap(env, long)]
42    pub ss_server_insecure: bool,
43
44    /// A data field to used in place of Vault's lease_duration field. Time
45    /// will be interpreted as a humantime string e.g. "1m", "1s" etc. Note
46    /// that v2 of the Vault server does not appear to populate the lease_duration
47    /// field for the KV secret store any longer. Instead, we can use a "ttl" field
48    /// from the data.
49    #[clap(env, long)]
50    pub ss_ttl_field: Option<String>,
51
52    /// How long we wait until re-requesting the Vault Secret Store server for an
53    /// authentication given a bad auth prior.
54    #[clap(env, long, default_value = "1m")]
55    pub ss_unauthenticated_timeout: humantime::Duration,
56
57    /// How long we wait until re-requesting the Vault Secret Store server for an
58    /// unauthorized secret again.
59    #[clap(env, long, default_value = "1m")]
60    pub ss_unauthorized_timeout: humantime::Duration,
61}