Support Kubernetes secrets / dapr

[fgheysels]

Arcus.Security has a great support for Azure KeyVault and some other secret providers

However, afaik, we do not currently support Kubernetes secrets. Actually, a Kubernetes secret can be just retrieved from the configuration, and that is also how I'm doing it right now. (I am adding the configuration as a secret provider). Maybe be can improve this ? Making it a bit more explicit ?

Next to that, when creating services that run in Kubernetes, people are also making use of Dapr. One of the Dapr components is for secret management.
It allows you to abstract access to your secret store: you configure the dapr secret component to connect to KeyVault for instance , and from your application code you use the dapr api to retrieve the secret. More info can be found here.

I think we should consider creating an Arcus secretprovider so that you're able to interact with your Dapr secret component. This allows developers to abstract away the communication with the Dapr API to get their secrets.

[stijnmoreels]

Sounds like a plan 👍

Kubernetes uses mostly environment variables to pass along information? We could mark secrets with something like SECRET_ to only get those. The application configuration can get then everything else, for example; so that no duplicate values are stored in either the secret store or application configuration. (Thinking out loud here).

But yes, I like the idea of also abstracting this Dapr secret management as there is no need for the application code to know where the secret value is coming from (and we can provide our other secret store functionality like caching on it).

I'm wondering how we can test this? We have for example a HashiCorp Vault secret provider in our repo and it is tested by running locally an instance of the Vault. Maybe we can do something like that for Dapr, too?

[stijnmoreels]

Seems like we could run this secret management too with a simple command, so I guess we can create a self-contained test (like HashiCorp Vault) for this: https://github.com/dapr/quickstarts/tree/master/secrets_management/csharp/sdk 👍

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: localsecretstore
spec:
  type: secretstores.local.file
  version: v1
  metadata:
  - name: secretsFile
    value: secrets.json  #path to secrets file
  - name: nestedSeparator
    value: ":"

[stijnmoreels]

@fgheysels , we can move this as an issue, right?

[fgheysels]

Yes, I've re-created this as an issue here: #410