Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Loading of secrets from files #1036

Open
3 tasks done
dadrus opened this issue Nov 15, 2023 · 0 comments
Open
3 tasks done

Loading of secrets from files #1036

dadrus opened this issue Nov 15, 2023 · 0 comments
Labels
feature Used for new features
Milestone
v0.16.0

Comments

@dadrus
Copy link
Owner

dadrus commented Nov 15, 2023
edited
Loading

Preflight checklist

Describe the background of your feature request

As of today the loading of keys for TLS and Signer (to issue JWTs) happens from files. Unlike this, in all other places, like configuration of api keys, etc in mechanisms the loading of secrets/sensitive data happens either from the config file or from env variables. Both is actually far away from being an optimal approach - in both cases the values of these secrets could potentially leak. For that reason, loading of secrets from files should be supported as well in such places.

Describe your idea

There are basically two approaches known and also discussed in https://discord.com/channels/1100447190796742698/1131484813258391665/1131484813258391665.

Alternative 1

Making use of a file scheme to reference a locally available file with the corresponding file containing the secret. Here an example:

mechanisms:
  authenticators:
  - id: hydra_authenticator
    type: oauth2_introspection
    config:
      introspection_endpoint:
        url: http://hydra:4445/oauth2/introspect
        auth:
          type: basic_auth
          config:
            user: ${INTROSPECT_EP_USER} # taken from env
            password: file://path_to_file_with_password # taken from file

Pros:

  • This is most probably the most simple approach
  • Easy to apply in kubernetes since you can just mount all keys of a secret as individual files in some pod dir. Same is actually true for non k8s deployments.
  • Easy to integrate with secret management systems

Cons:

  • Fragmentation of secrets - these are scattered across multiple files.

Alternative 2

Making use of a special secrets.yaml file, which would hold the corresponding values in a structured way. By reusing the example from 1, the contents of that file could look like

secrets:
  hydra:
    user: admin
    pass: hunter2

And the usage in the config file would then be

mechanisms:
  authenticators:
  - id: hydra_authenticator
    type: oauth2_introspection
    config:
      introspection_endpoint:
        url: http://hydra:4445/oauth2/introspect
        auth:
          type: basic_auth
          config:
            user: ${{ secrets.hydra.user }} # or secrets://hydra.user
            password: ${{ secrets.hydra.pass }} # or secrets://hydra.pass

Pros:

  • Also easy to use

Cons:

  • Integration with secret management systems is problematic
  • There is a need to move all secrets to a single place (the above shown secrets.yaml file)
  • Based on that the management of secrets becomes harder compared to 1 and
  • Application in kubernetes environment becomes harder as well as the different secret would have to be merged into a single file with a specific structure.
  • Might tempt people to store that secrets.yaml file encrypted in git, which is actually a bad practice.

Are there any workarounds or alternatives?

All described above

Version

0.11.1-alpha

Additional Context

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature Used for new features
Projects
None yet
Milestone
v0.16.0
Development

No branches or pull requests
1 participant
@dadrus