Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add flexibility for versioned secrets to KeyPerFileConfigurationProvider/Source #59464

Open
1 task done
msft-mw opened this issue Dec 12, 2024 · 0 comments
Open
1 task done

Add flexibility for versioned secrets to KeyPerFileConfigurationProvider/Source #59464

msft-mw opened this issue Dec 12, 2024 · 0 comments
Labels
area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions

Comments

@msft-mw
Copy link

msft-mw commented Dec 12, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Is your feature request related to a problem? Please describe the problem.

I am trying to read versioned secrets that are created by the Azure Key Vault CSI driver but there is not enough extensibility to correctly map the secrets into my configuration.

Example: I have a certificate used for token encryption and decryption. The certificate is in the process of being rolled and so for a period of time I need both the current and the v-next version of the secret loaded into my configuration. The CSI driver creates files on disk in the following structure:

/mnt/secrets
      /Service__SigningCertificates
          /0
          /1

where 0 and 1 are the two versions of the certificate. In my code I have an options object:

{
    class ServiceOptions
    {
        public IEnumerable<string> SigningCertificates { get; set; }
    }
}

The KeyPerFileConfigurationProvider ignores any directories, so I cannot point it at /mnt/secrets to get the certificates loaded. I know that I can add a Composite File Provider to add the subdirectory to the KeyPerFileConfigurationProvider but because it uses the file names as keys, I end up with configuration keys of 0 and 1 which are not usable.

Describe the solution you'd like

A version of the KeyPerFileConfigurationProvider that understands the subdirectory format that the Key Vault secret store csi driver creates, or a version that exposes a callback so that I can override the configuration keys that the provider generates.

Additional context

No response
@dotnet-issue-labeler dotnet-issue-labeler bot added the needs-area-label Used by the dotnet-issue-labeler to label those issues which couldn't be triaged automatically label Dec 12, 2024
@gfoidl gfoidl added area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions and removed needs-area-label Used by the dotnet-issue-labeler to label those issues which couldn't be triaged automatically labels Dec 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gfoidl @msft-mw