search

vmware-tanzu / secrets-manager

VMware Secrets Manager is a lightweight secrets manager to protect your sensitive data. It’s perfect for edge deployments where energy and footprint requirements are strict—See more: https://vsecm.com/
https://vsecm.com/
BSD 2-Clause "Simplified" License
158 stars 25 forks source link

DRAFT: vsecm meta api #1181

Open v0lkan opened 5 days ago

v0lkan commented 5 days ago 
w:example
n:example-apps
s:gen:{"username":"admin-[a-z0-9]{6}","password":"[a-zA-Z0-9]{12}"}
t:{"ADMIN_USER":"{{.username}}","ADMIN_PASS":"{{.password}}"}
--
w:example
n:example-apps
s:gen:{"username":"admin-[a-z0-9]{6}","password":"[a-zA-Z0-9]{12}"}
t:{"ADMIN_USER":"{{.username}}","ADMIN_PASS":"{{.password}}"}
--

A secret "value" that has this structure will NOT be stored as is but it will be transformed into a decleration IF it is coming from a relay client.

A relay "Server" will have a registered secret similar to the text above "per trust domain" that it is going to relay.

a GET /secrets/stardubz.example.com+{key} will return an encrypted version the above secret.

the secrets will be stored as if it is a secret registered to a special vsecm:trust:stardubz.example.com workload name (this would make it easy for an operator to create secrets "for" trust domains.

In a multi-tenant scenario; if multiple tenants define different secrets for the same trust domain, the secrets will be MERGED.

Also, have a UI that can securely store/retrieve these secrets. To retrieve it, the service will have to have vsecm:trust:stardubz.example.com (and other relevant) clusterspiffeids.

To show it on the UI securely, we'd need web crypto API.

v0lkan commented 5 days ago

Note: Possibly kind: VSecMSecret would be capable of doing most of this.

Will keep this issue around until we have a mature kind: VsecMSecret and then decide about its fate.