Minimal configuration handling supporting hashicorp vault.
Project description
Plainconf
Attempts to help build sensible configuration for python projects.
DISCLAIMER
Unless you need some specific functionality in here, I recommend using Dynaconf as it is more mature.
Install
pip install plainconf
What does this do?
It will create a flat conf (no nesting or anything, just one level) taking entries from the same environment from a settings file and either
-
a secrets file
-
hashicorp vault if vault_url, a mount_point and either token, userpass or approle credentials are provided (optionally vault_path)
-
a secrets file with fernet encrypted values if the key is provided (s. encrypting toml file with fernet
settings.toml
[development]
db_url = "localhost:4321"
.secrets.toml
[development]
password = "secret"
conf = Plainconf(
environment="development",
settings_file="settings.toml",
secrets_file=".secrets.toml",
)
assert conf.db_url == "localhost:4321"
assert conf.password == "secret"
Assumptions
Plainconf assumes, that the setings and secrets are organised in envrironments. Further it assumes, that the relevant configuration is the most specific one and all levels above hold common information for the levels below. The environments have to be present in both the settings and secrets file.
[development]
... <- this information is relevant to development.local
[development.local] <- this is the environment you want to work with (including everything from development)
...
[development.staging]
...
Encrypting toml file with fernet
In order to encrypt the values in the toml file you will need a fernet key
from cyptography.fernet import Fernet
key = Fernet.generate_key()
encrypt_toml(key: bytes, file: str) expects the key as bytes and the path to the secrets file to be encrypted:
from plainconf import encrypt_toml
encrypt_toml(b'key', '.secrets.toml')
Which will output a file ending on _enc.toml with the values encrypted
[development]
password = "gAAAAABlDfsMIkZzIqKFQW8NBHVIqITKLCgQkzr6VKOYglHroZ--jFtkEsFr3feqSL1WCWy7gdlhvjHkBmx_JjQxKYKiqNge0A=="
In order to read the encrypted secrets, the key has to be given as keyword argument or environment variable (without the b at the beginning)
Nested environments
Plainconf will read the environment given in the variable and the entries above and flatten everything, as that is the use case I have.
[development]
db_url = "localhost:4321"
[development.local]
db_username = "local"
conf = Plainconf(
environment="development.local",
settings_file="settings.toml",
)
assert conf.db_url == "localhost:4321"
assert conf.db_username == "local"
Limitations
-
Only supports userpass, approle and token authentication on Hashicorp Vault
-
Only works with kv secret engine
-
Only supports toml
(for now)
Examples
With files
.mysecrets.toml:
[development]
password = 'secret'
conf = Plainconf(
secrets_file='.mysecrets.toml',
settings_file='mysettings.toml',
environment='development'
)
...
conf.password ("secret")
With vault
on the vault:
somewhere/development:
password = 'supersecret'
conf = Plainconf(
vault_url="http://localhost:8200",
vault_token="hvs.abc123def456",
vault_mount_point="somewhere",
environment="development"
)
conf.password ("supersecret")
Enviroment from env
.env file:
PLAINCONF_ENVIRONMENT="development"
PLAINCONF_VAULT_TOKEN="hvs.something123"
PLAINCONF_VAULT_URL="http://development.vault:8200"
conf = Plainconf()
conf.password ("supersecret")
Settings REQUIRED!
Plainconf(settings_file='path_to_file')
or environment variable PLAINCONF_SETTINGS_FILE="...""
Settings are read from the respective environment (default: default)
Secrets
Plainconf(secrets_file='path_to_file')
or environment variable PLAINCONF_SECRETS_FILE="...""
Secrets are read from the environment (default: default)
Environments
Plainconf(environment='name')
or environment variable PLAINCONF_ENVIRONMENT="...""
or default: default
Vault
Hashicorp Vault can be accessed via token, approle or userpass.
Required configuration:
-
Plainconf(vault_url='http...') or environment variable PLAINCONF_VAULT_URL
-
Plainconf(vault_mount_point='name') or environment variable PLAINCONF_VAULT_MOUNT_POINT
and either a token
- Plainconf(vault_token="hvs...") or PLAINCONF_VAULT_TOKEN
or user and pass
- Plainconf(vault_user='user', vault_pass='password') or PLAINCONF_VAULT_USER and PLAINCONF_VAULT_PASS
or approle id and secret
- Plainconf(vault_approle_id='role_id', vault_approle_secret_id='secret_id') or PLAINCONF_APPROLE_ID and PLAINCONF_APPROLE_SECRET_ID
Optional:
- Plainconf(vault_path='secret/special...') or PLAINCONF_VAULT_PATH or default: environment (see above)
Plainconf tries to connect to the vault kv secrets engine v2 by default and v1 thereafter.
Fernet Key
- Plainconf(fernet_key='key') or PLAINCONF_FERNET_KEY'
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file plainconf-0.1.21.tar.gz.
File metadata
- Download URL: plainconf-0.1.21.tar.gz
- Upload date:
- Size: 6.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/4.0.2 CPython/3.11.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 580604b9703f6d075fb9d80672fe41e7302d5189d58f1e2411cd2c68cb5986ed |
|
| MD5 | 9ef158cb7faac06db87ef3875b41fe42 |
|
| BLAKE2b-256 | 03fa606a54f4e9b907ec84a1f834ceba1b95df1d292575b19e77784e357cfadb |
File details
Details for the file plainconf-0.1.21-py3-none-any.whl.
File metadata
- Download URL: plainconf-0.1.21-py3-none-any.whl
- Upload date:
- Size: 5.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/4.0.2 CPython/3.11.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 39c94802ef53c8eb8e9023b68a1a7f45689ae77ae07f0b5ecbbf180a5da738c3 |
|
| MD5 | 803d0c5d6da22f4dfa3520e9b71ecb5e |
|
| BLAKE2b-256 | 28b12c7fc7270b98680d9baabf1cff1960d241fe95dc7066bb3ffaf07e9be421 |
