- upgrade dependencies (several) including vulnerability fixes
- (dev) combined test & development dependency groups
- dependency updates
- minor logging tweaks
- iron out some warts
- Add testcontainers for development
- Add integration test to test against a "real" (testcontainers) Vault
- Improve test coverage
- Replace many pre-commit hooks with ruff
- Use a separate configuration file
ruff.tomlfor ruff with only local tweaks inpyproject.toml
- Add timeout configuration to secretsmangager client and default 5s to reduce wait time when vault is unavailable. May be overridden in code or using the VAULT_TIMEOUT environment variable.
- exclude example files from guardian scanning
- github workflow changes
- Reduced complexity in vault secrets caching, now simply caches all secrets as a single dict. If non-empty, the cache is always used to return individual values with the assumption that the vault secrets remain unchanged during the lifetime of the process, which is the intended use case.
- Use <mount_point>/data/<base_path> for secret values, vault kv store compatible.
- client.write **kwargs to generate the POST api request correctly (previously not working)
- rewrote and simplified vault secrets related tests using pytest parameterization
- add
envsecretsscript, used to split a .env into persistent values and inject secrets into vault based on a template. provide an example of how this might be used.
- Allow base_path to be set via env variable $VAULT_PATH.
- Add support for $VAULT_CLIENT_CERT and $VAULT_CLIENT_KEY
These changes allow full configuration of the secrets manager backend using the environment.
- Simplified and extended SecretsManager back-end
- removed tie to kv secrets engine
- add optional 'engine' param to Env/SecretsManager to determine path prefix, or override
- add key delete, list methods
- add vault seal handler, vault cli no longer required on host to unseal
- add support for $VAULT_CACERT to specify CA certificate path
- Support for Hashicorp vault via a secrets manager
- install optional "hvac" dependency to enable, else no-op
- read hvac documentation for usage (eg VAULT_TOKEN and VAULT_ADDR)
- by default, environment values override vault ones. To modify this behaviour, set ENVEX_SRC=vault to have vault values override. ENVEX_SRC=env by default.
- args to Env() added to support vault client configuration
- vault secrets are cached by default
- base_path arg may be used to set a based vault path, i.e. f"/secret/{base_path}/key", allowing specific secrets to be used for different environments and roles
- revert to poetry for project management (.lock file used by dependabot)
- make working directory variables $CWD/$PWD optional (default=True)
- handle search_path parameter passed as an os.pathsep separated string
- clean up some internals
- allow passing a type as str in
__call__, and optimise__call__ - reordered kwargs used in dot_env for consistency
- implemented pre-commit with ruff, black, isort
- handle "export" in .env files correctly - pass to os.environ if "export" is used
- also allow for other (as yet unimplemented) special commands or key=val prefixes
- ensure that env_path is resolved before updating $PWD
- updated
$PWD/$CWDhandling again, set these rather than setdefault to override possible values from the shell to provide more consistent results
- updated implied
$PWDhandling:$CWDis setdefault for the process current directory (this was previously $PWD)$PWDis setdefault for the directory containing the .env file
- errors: bool arg load_env and friends, defaults to False
- if errors=True, FileNotFoundError is raised when no usable .env (
$DOTENV) file is found
- if errors=True, FileNotFoundError is raised when no usable .env (