Spike: research current secrets configuration modes - is there a common standard?

We currently support many different tools in Kubernetes to deliver secrets from Conjur to applications running in Kubernetes that need them. In particular, we have:

Secrets Provider
Secretless
Authn-K8s + Summon
Authn-K8s + Conjur client library

Each of these uses a different configuration to specify what secrets to retrieve from Conjur and how to use them. In this spike, we want to review the existing configuration mechanisms to understand whether they can be simplified to use a common standard, and whether there would be any benefit to doing so.

For example, if we ultimately end up with a single CyberArk Secrets Provider container image that can be run in any of the above modes:

to "push to k8s secrets" (as init container or job) - uses secrets map
to provide secretless access to targets (as sidecar) - uses secretless.yml
to provide a Conjur access token that Summon uses to inject secrets at startup (as init container) - uses secrets.yml, or
to provide a Conjur access token that a client library can use to retrieve secrets for the application - has no standard config

What would it look like to specify the secret configuration for an application using the single CyberArk Secrets Provider container? If we standardize on providing configuration for secrets in ConfigMap, is there a way to standardize on this regardless of configuration (Secretless, Secrets Provider, Authn-K8s + Summon, Authn-K8s + Client Libraries)?

AC:

[x] There is a write-up (in a gist or comment on this issue) walking through the different types of configuration (with examples) used by these 4 operational modes. Note whether there are clear pros / cons of each, and make a recommendation for possibilities to standardize them, the cost / benefit of doing so, and whether it is worth doing.

cyberark / conjur

Spike: research current secrets configuration modes - is there a common standard? #2031