VMware Secrets Manager is a lightweight secrets manager to protect your sensitive data. It’s perfect for edge deployments where energy and footprint requirements are strict—See more: https://vsecm.com/
A secret "value" that has this structure will NOT be stored as is but it will be transformed into a decleration IF it is coming from a relay client.
A relay "Server" will have a registered secret similar to the text above "per trust domain" that it is going to relay.
a GET /secrets/stardubz.example.com+{key} will return an encrypted version the above secret.
the secrets will be stored as if it is a secret registered to a special vsecm:trust:stardubz.example.com workload name (this would make it easy for an operator to create secrets "for" trust domains.
In a multi-tenant scenario; if multiple tenants define different secrets for the same trust domain, the secrets will be MERGED.
Also, have a UI that can securely store/retrieve these secrets. To retrieve it, the service will have to have vsecm:trust:stardubz.example.com (and other relevant) clusterspiffeids.
To show it on the UI securely, we'd need web crypto API.
A secret "value" that has this structure will NOT be stored as is but it will be transformed into a decleration IF it is coming from a relay client.
A relay "Server" will have a registered secret similar to the text above "per trust domain" that it is going to relay.
a GET /secrets/stardubz.example.com+{key} will return an encrypted version the above secret.
the secrets will be stored as if it is a secret registered to a special
vsecm:trust:stardubz.example.com
workload name (this would make it easy for an operator to create secrets "for" trust domains.In a multi-tenant scenario; if multiple tenants define different secrets for the same trust domain, the secrets will be MERGED.
Also, have a UI that can securely store/retrieve these secrets. To retrieve it, the service will have to have
vsecm:trust:stardubz.example.com
(and other relevant) clusterspiffeids.To show it on the UI securely, we'd need web crypto API.