KubeClient & Core Data Protection

[rriverak]

Hey, thank you for this very handy client!
I currently have the need to enable Data Protection in my distributed dotnet application(s).

I would like to use native Kubernetes Secrets for this. A third-party Secret-Vault like HashiCorp Vault seems oversized to me. In my opinion, this scenario can be covered by Kubernetes alone.

A Package based on KubeClient.Extensions.Configuration could do that safely and quickly.

I think we just need some GlueCode between DataProtection and KubeClient.

services.AddDataProtection()
// Get Key-Signing Certificate from a Kuberenetes Secret
.ProtectKeysWithKubernetesSecret(...)
// Store signed Rotated-Keys in a Kubernetes Secret
.PersistKeysToKubernetesSecret(...)

It would then end in an KubeClient.Extensions.DataProtection package.

How can I contribute something like that? or do you see something like this outside of this project?

[tintoy]

Hi - this sounds like a great idea :)

I’m happy for you to open a PR if you would like to have a go at this (and am happy to help out if there’s anywhere you get stuck that I actually know something about).

[tintoy]

If you’re not sure how to start I could create a branch and sketch out the project structure so you could drop your code in)...

[rriverak]

Hey, thanks for the very fast answer :) I would first write a small application and test the procedure in minikube.

If this works as expected, I will transfer it to a netstandard2.0 library. After or during that, I would contact you again to get a branch and sketch out the project structure.

Many thanks!

[rriverak]

Soo, after the first few test.. I would not build ontop of KubeClient.Extensions.Configuration package..
The Idea was to hook the secret loading implementation but theres I see no clean way outside of IConfiguration...

The real Proleme here is that the IConfiguration contains the plain DataProtection Keys over the hole runtime and this could be a bad idea ;)

For now, I start the implementation with the pure KubeClient and request / create / update the Secret directly...

[rriverak]

That seems to work well now.

Here is my test repository: https://github.com/rriverak/KubeClient.Extensions.DataProtection

[tintoy]

Wow - you work fast :)

I'm happy to handle this 1 of 2 ways (although feel free to suggest something else if you have other preferences):

1. I can pull your code into this repository and get it released and published along the rest of KubeClient (I'll add you as a repo contributor so you can help maintain it).
2. I can help you set up CI to get your package built and published from your own repo in a way that's similar/compatible to how it's done for KubeClient (you'll decide when you want to release new versions of you your package). Given the way KubeClient was designed and built, this is also a totally valid way to release additional functionality for it.

[rriverak]

I'm a fan of monorepos ;-) I would be very happy to see my code in the KubeClient repository :)

[tintoy]

Ok, I’ll have a go at integrating your code this weekend on a branch and get you do do a review when it’s ready. How’s that sound?

[tintoy]

What version of ASP.NET Core are you expecting to target? This will affect the library’s TargetFramework (I think 3.x, for example, only supports netcoreapp from memory but I could be mistaken - I’m on my phone at the moment).

[tintoy]

(technically netstandard2.1 but we’ll have to multi-target if you want to support ASP.NET Core 2.x as well)

[rriverak]

I think it's good to support .NET Core 2.2. After all, there is an LTS release for .NET Core 2.2.

The target of Microsoft.AspNetCore.DataProtection 2.2.x isnetstandard2.0. I think we can follow that for now.

In 3.0.0-preview9 they target both netstandard2.0;netcoreapp3.0

[tintoy]

Good-o, I’ll get started on this first thing tomorrow (it’s 10pm here).

[rriverak]

many thanks for your effort! I have no time pressure on this topic. :)

[tintoy]

Sorry this has taken so long, work’s been a bit crazy!

I’m going to try to get this finished off over the weekend.

[tintoy]

Ok - I've published a build of the new package to the dev package feed (https://www.myget.org/F/dotnet-kube-client/api/v3/index.json).

Would you mind trying out the package and letting me know if it works for you? You're looking for KubeClient.Extensions.DataProtection, version 2.4.0-data-protection0006.

[tintoy]

And, years later, this has finally been implemented; sorry it took so long 🙂

Published as KubeClient.Extensions.DataProtection v2.5.8.