Environment#

pydantic model phalanx.models.environments.Environment#

A Phalanx environment and its associated settings.

Parameters:

data (Any) –

Show JSON schema
{
   "title": "Environment",
   "description": "A Phalanx environment and its associated settings.",
   "type": "object",
   "properties": {
      "name": {
         "description": "Name of the environment",
         "title": "Name",
         "type": "string"
      },
      "fqdn": {
         "description": "Fully-qualified domain name on which the environment listens",
         "title": "Domain name",
         "type": "string"
      },
      "onepassword": {
         "anyOf": [
            {
               "$ref": "#/$defs/OnepasswordConfig"
            },
            {
               "type": "null"
            }
         ],
         "default": null,
         "description": "Configuration for using 1Password as a static secrets source",
         "title": "1Password configuration"
      },
      "vaultUrl": {
         "anyOf": [
            {
               "format": "uri",
               "minLength": 1,
               "type": "string"
            },
            {
               "type": "null"
            }
         ],
         "default": null,
         "description": "URL of the Vault server. This is required in the merged values file that includes environment overrides, but the environment override file doesn't need to set it, so it's marked as optional for schema checking purposes to allow the override file to be schema-checked independently.",
         "title": "Vault server URL"
      },
      "vaultPathPrefix": {
         "description": "Prefix of Vault paths, including the KV v2 mount point",
         "title": "Vault path prefix",
         "type": "string"
      },
      "applications": {
         "additionalProperties": {
            "$ref": "#/$defs/ApplicationInstance"
         },
         "title": "Applications",
         "type": "object"
      }
   },
   "$defs": {
      "ApplicationInstance": {
         "description": "A Phalanx application as configured for a specific environment.",
         "properties": {
            "name": {
               "title": "Name",
               "type": "string"
            },
            "environment": {
               "title": "Environment",
               "type": "string"
            },
            "chart": {
               "title": "Chart",
               "type": "object"
            },
            "values": {
               "title": "Values",
               "type": "object"
            },
            "secrets": {
               "additionalProperties": {
                  "$ref": "#/$defs/Secret"
               },
               "default": {},
               "description": "Secrets required for this application in this environment.",
               "title": "Required secrets",
               "type": "object"
            }
         },
         "required": [
            "name",
            "environment",
            "chart",
            "values"
         ],
         "title": "ApplicationInstance",
         "type": "object"
      },
      "OnepasswordConfig": {
         "description": "Configuration for 1Password static secrets source.",
         "properties": {
            "connectUrl": {
               "description": "URL to the 1Password Connect API server",
               "format": "uri",
               "minLength": 1,
               "title": "1Password Connect URL",
               "type": "string"
            },
            "vaultTitle": {
               "description": "Title of the 1Password vault from which to retrieve secrets",
               "title": "1Password vault title",
               "type": "string"
            }
         },
         "required": [
            "connectUrl",
            "vaultTitle"
         ],
         "title": "OnepasswordConfig",
         "type": "object"
      },
      "Secret": {
         "additionalProperties": false,
         "description": "Specification for an application secret for a specific environment.\n\nThe same as `SecretConfig` except augmented with the secret application\nand key for internal convenience.",
         "properties": {
            "description": {
               "description": "Description of the secret",
               "title": "Description",
               "type": "string"
            },
            "copy": {
               "anyOf": [
                  {
                     "$ref": "#/$defs/SecretCopyRules"
                  },
                  {
                     "type": "null"
                  }
               ],
               "default": null,
               "description": "Rules for where the secret should be copied from",
               "title": "Copy rules"
            },
            "generate": {
               "anyOf": [
                  {
                     "$ref": "#/$defs/SimpleSecretGenerateRules"
                  },
                  {
                     "$ref": "#/$defs/SourceSecretGenerateRules"
                  },
                  {
                     "type": "null"
                  }
               ],
               "default": null,
               "description": "Rules for how the secret should be generated",
               "title": "Generation rules"
            },
            "onepassword": {
               "allOf": [
                  {
                     "$ref": "#/$defs/SecretOnepasswordConfig"
                  }
               ],
               "description": "Configuration for how the secret is stored in 1Password",
               "title": "1Password configuration"
            },
            "value": {
               "anyOf": [
                  {
                     "format": "password",
                     "type": "string",
                     "writeOnly": true
                  },
                  {
                     "type": "null"
                  }
               ],
               "default": null,
               "description": "Fixed value of secret",
               "title": "Value"
            },
            "key": {
               "title": "Key",
               "type": "string"
            },
            "application": {
               "title": "Application",
               "type": "string"
            }
         },
         "required": [
            "description",
            "key",
            "application"
         ],
         "title": "Secret",
         "type": "object"
      },
      "SecretCopyRules": {
         "additionalProperties": false,
         "description": "Rules for copying a secret value from another secret.",
         "properties": {
            "application": {
               "description": "Application from which the secret should be copied",
               "title": "Application",
               "type": "string"
            },
            "key": {
               "description": "Secret key from which the secret should be copied",
               "title": "Key",
               "type": "string"
            }
         },
         "required": [
            "application",
            "key"
         ],
         "title": "SecretCopyRules",
         "type": "object"
      },
      "SecretOnepasswordConfig": {
         "description": "Configuration for how a static secret is stored in 1Password.",
         "properties": {
            "encoded": {
               "default": false,
               "description": "Whether the 1Password copy of the secret is encoded in base64. 1Password doesn't support newlines in secrets, so secrets that contain significant newlines have to be encoded when storing them in 1Password. This flag indicates that this has been done, and therefore when retrieving the secret from 1Password, its base64-encoding must be undone.",
               "title": "Is base64-encoded",
               "type": "boolean"
            }
         },
         "title": "SecretOnepasswordConfig",
         "type": "object"
      },
      "SimpleSecretGenerateRules": {
         "additionalProperties": false,
         "description": "Rules for generating a secret value with no source information.",
         "properties": {
            "type": {
               "description": "Type of secret",
               "enum": [
                  "password",
                  "gafaelfawr-token",
                  "fernet-key",
                  "rsa-private-key"
               ],
               "title": "Secret type",
               "type": "string"
            }
         },
         "required": [
            "type"
         ],
         "title": "SimpleSecretGenerateRules",
         "type": "object"
      },
      "SourceSecretGenerateRules": {
         "description": "Rules for generating a secret from another secret.",
         "properties": {
            "type": {
               "description": "Type of secret",
               "enum": [
                  "bcrypt-password-hash",
                  "mtime"
               ],
               "title": "Secret type",
               "type": "string"
            },
            "source": {
               "description": "Key of secret on which this secret is based. This may only be set by secrets of type `bcrypt-password-hash` or `mtime`.",
               "title": "Source key",
               "type": "string"
            }
         },
         "required": [
            "type",
            "source"
         ],
         "title": "SourceSecretGenerateRules",
         "type": "object"
      }
   },
   "required": [
      "name",
      "fqdn",
      "vaultPathPrefix",
      "applications"
   ]
}

Config:
  • alias_generator: function = <function to_camel_case at 0x7fbce8baec00>

  • populate_by_name: bool = True

Fields:
Validators:
field applications: dict[str, ApplicationInstance] [Required]#

Applications enabled for that environment, by name.

field fqdn: str [Required]#

Fully-qualified domain name on which the environment listens

field name: str [Required]#

Name of the environment

field onepassword: OnepasswordConfig | None = None#

Configuration for using 1Password as a static secrets source

Validated by:
  • _validate_onepassword

field vault_path_prefix: str [Required] (alias 'vaultPathPrefix')#

Prefix of Vault paths, including the KV v2 mount point

field vault_url: AnyHttpUrl | None = None (alias 'vaultUrl')#

URL of the Vault server. This is required in the merged values file that includes environment overrides, but the environment override file doesn’t need to set it, so it’s marked as optional for schema checking purposes to allow the override file to be schema-checked independently.

all_applications()#

Return all enabled applications in sorted order.

Return type:

list[ApplicationInstance]

all_secrets()#

Return all secrets regardless of application.

Return type:

list[Secret]

model_dump(**kwargs)#

Export the model as a dictionary.

Overridden to change the default of by_alias from False to True, so that by default the exported dictionary uses camel-case.

Parameters:

kwargs (Any) –

Return type:

dict[str, Any]

model_dump_json(**kwargs)#

Export the model as JSON.

Overridden to change the default of by_alias from False to True, so that by default the exported dictionary uses camel-case.

Parameters:

kwargs (Any) –

Return type:

str

property vault_path: str#

Vault path without the initial Kv2 mount point.

property vault_read_approle: str#

Name of the Vault read AppRole for this environment.

property vault_read_policy: str#

Name of the Vault read policy for this environment.

property vault_write_policy: str#

Name of the Vault write policy for this environment.

property vault_write_token: str#

Display name of the Vault write token for this environment.

Unlike AppRole names, this could include a slash, but use the same base name as the AppRole for consistency and simplicity. Vault always prepends token-, which we strip off when creating the token.