Prepare Secret
Creates or inspects the Witboost secret as a JSON file ready to upload to a secret backend compatible with External Secrets Operator (e.g. HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GitLab Variables).
Prerequisites
initonly: a valid license bundle must have been provided by the Witboost team.update/validate: the existing secret JSON file must be available.
Usage
witboost-infra prepare-secret <subcommand> [options]
| Subcommand | Argument | Description |
|---|---|---|
init | — | Interactively generate a new secret JSON file from scratch |
update | <file> | Load an existing secret JSON file and apply key mutations |
validate | <file> | Validate an existing secret JSON file |
init Options
| Option | Description | Default |
|---|---|---|
--output <file> | Path for the output file | ~/.witboost-infra/output/ready_to_use_secret.json |
update Options
| Option | Description |
|---|---|
--add-key <KEY:VALUE> | Add or set a key. Comma-separate for multiple: KEY1:VAL1,KEY2:VAL2 |
--modify-key <KEY:VALUE> | Modify an existing key. Comma-separate for multiple: KEY1:VAL1,KEY2:VAL2 |
--remove-key <KEY> | Remove a key. Comma-separate for multiple: KEY1,KEY2 |
--output <file> | Path for the output file (default: same as init) |
At least one of --add-key, --modify-key, or --remove-key is required. Each flag may only be specified once.
validate Options
| Argument | Description |
|---|---|
<file> | Path to the secret JSON file to validate |
Examples
Generate a new secret
init prompts for DB Host, DB Port, DB Username, DB Password, and License bundle. Other secrets are automatically generated.
# Writes to default location
witboost-infra prepare-secret init
# Writes to a custom location
witboost-infra prepare-secret init --output my_secret.json
init writes the ten core keys only. Add optional keys (e.g. TECHNICAL_GITLAB_TOKEN) with update afterwards.
Update an existing secret
# Add a key
witboost-infra prepare-secret update existing_secret.json --add-key TECHNICAL_GITLAB_TOKEN:mytoken
# Multiple mutations
witboost-infra prepare-secret update existing_secret.json \
--add-key KEY1:VAL1,KEY2:VAL2 \
--remove-key OLD_KEY \
--output updated_secret.json
After all mutations, advisory warnings are printed for any missing or malformed mandatory key.
Validate an existing secret
Checks an existing secret file without modifying it.
witboost-infra prepare-secret validate existing_secret.json
Output
A JSON file ({"KEY":"value",...}), written to ~/.witboost-infra/output/ready_to_use_secret.json by default. Use --output <file> to specify a custom path.