Command-line interface#

Many administrative actions for Phalanx environments are being moved into a Phalanx command-line tool. The commands for the phalanx CLI are documented here.

Warning

Phalanx does not yet use the secrets management and Vault credential management approach implemented by this tool. It is currently being tested and is not ready for general use. This warning will be removed once it is ready.

phalanx#

Administrative command-line interface for Phalanx.

phalanx [OPTIONS] COMMAND [ARGS]...

Options

--version#

Show the version and exit.

environment#

Commands for Phalanx environment configuration.

phalanx environment [OPTIONS] COMMAND [ARGS]...

schema#

Generate schema for environment configuration.

The output is a JSON schema for the values-<environment>.yaml file for a Phalanx environment. If the --output flag is not given, the schema is printed to standard output.

Users normally don’t need to run this command. It is used to update the schema file in the Phalanx repository, which is used by a pre-commit hook to validate environment configuration files before committing them.

phalanx environment schema [OPTIONS]

Options

-o, --output <output>#

Path to which to write schema.

help#

Show help for any command.

phalanx help [OPTIONS] [TOPIC] [SUBTOPIC]

Arguments

TOPIC#

Optional argument

SUBTOPIC#

Optional argument

secrets#

Secret manipulation commands.

phalanx secrets [OPTIONS] COMMAND [ARGS]...

audit#

Audit secrets for an environment.

The secrets stored in Vault for the given environment will be compared to the secrets required for all applications enabled for that environment, and any discrepencies will be noted. The audit report will be printed to standard output and will be empty if no issues were found.

The environment variable VAULT_TOKEN must be set to a token with read access to the Vault data for the given environment.

phalanx secrets audit [OPTIONS] ENVIRONMENT

Options

-c, --config <config>#

Path to root of Phalanx configuration.

--secrets <secrets>#

YAML file containing static secrets for this environment.

Arguments

ENVIRONMENT#

Required argument

list#

List all secrets required for a given environment.

phalanx secrets list [OPTIONS] ENVIRONMENT

Options

-c, --config <config>#

Path to root of Phalanx configuration.

Arguments

ENVIRONMENT#

Required argument

schema#

Generate schema for application secret definition.

The output is a JSON schema for the secrets.yaml file for an application, which specifies the secrets required for that application. If the --output flag is not given, the schema is printed to standard output.

Users normally don’t need to run this command. It is used to update the schema file in the Phalanx repository, which is used by a pre-commit hook to validate secrets.yaml files before committing them.

phalanx secrets schema [OPTIONS]

Options

-o, --output <output>#

Path to which to write schema.

static-template#

Generate a template for static secrets.

Static secrets may be provided to other commands that need to know them (most notably phalanx secrets sync) via the --secrets flag, which points to a YAML file containing the static secrets for an environment. This command generates a template for that YAML file. It will contain the descriptions for each secret and a place for the value of that secret to be filled in.

The template is public information, but (somewhat obviously) once secret values have been added to it, this file must be kept secure and private to Phalanx administrators for that environment.

phalanx secrets static-template [OPTIONS] ENVIRONMENT

Options

-c, --config <config>#

Path to root of Phalanx configuration.

Arguments

ENVIRONMENT#

Required argument

sync#

Synchronize environment secrets with Vault.

The secrets required for all enabled applications for the given environment are compared with the secrets stored for that environment in Vault, any missing or incorrect secrets are updated, and optionally any extraneous secrets may be deleted.

The environment variable VAULT_TOKEN must be set to a token with read and write access to the secrets for this environment (and optionally delete access). If Vault credentials are managed through this tool, such a token can be created with the phalanx vault create-write-token command.

phalanx secrets sync [OPTIONS] ENVIRONMENT

Options

-c, --config <config>#

Path to root of Phalanx configuration.

--delete#

Delete any unexpected secrets in Vault.

--regenerate#

Regenerate (change) all generated secrets.

--secrets <secrets>#

YAML file containing static secrets for this environment.

Arguments

ENVIRONMENT#

Required argument

vault-secrets#

Write the Vault secrets for the given environment.

One JSON file per application with secrets will be created in the output directory, containing the secrets for that application. If the value of a secret is not known, it will be written as null.

The environment variable VAULT_TOKEN must be set to a token with read access to the Vault data for the given environment.

phalanx secrets vault-secrets [OPTIONS] ENVIRONMENT OUTPUT

Options

-c, --config <config>#

Path to root of Phalanx configuration.

Arguments

ENVIRONMENT#

Required argument

OUTPUT#

Required argument

vault#

Vault management commands.

phalanx vault [OPTIONS] COMMAND [ARGS]...

audit#

Audit Vault credentials for an environment.

The audit report will be printed to standard output and will be empty if no issues were found.

The environment variable VAULT_TOKEN must be set to a token with access to read policies, AppRoles, tokens, and token accessors.

phalanx vault audit [OPTIONS] ENVIRONMENT

Options

-c, --config <config>#

Path to root of Phalanx configuration.

Arguments

ENVIRONMENT#

Required argument

create-read-approle#

Create a new Vault read AppRole.

The created AppRole will have read access to all of the Vault secrets for the given environment. It is intended for use by vault-secrets-operator to maintain Kubernetes secrets from the Phalanx Vault secrets.

The environment variable VAULT_TOKEN must be set to a token with access to create policies and AppRoles, list AppRole SecretID accessors, and revoke AppRole SecretIDs.

phalanx vault create-read-approle [OPTIONS] ENVIRONMENT

Options

-c, --config <config>#

Path to root of Phalanx configuration.

Arguments

ENVIRONMENT#

Required argument

create-write-token#

Create a new Vault write token.

The created token will have read, write, delete, and destroy access to all of the Vault secrets for the given environment. It is intended for interactive use with this tool synchronize environment secrets to Vault.

The environment variable VAULT_TOKEN must be set to a token with access to list token accessors, create policies, and create and revoke tokens.

phalanx vault create-write-token [OPTIONS] ENVIRONMENT

Options

-c, --config <config>#

Path to root of Phalanx configuration.

--lifetime <lifetime>#

Token lifetime in Vault duration format.

Arguments

ENVIRONMENT#

Required argument